Limiting a user to a specific realm

Lisa Casey lisa at jellico.com
Mon Aug 18 18:42:37 CEST 2008 

Hi Folks,

I know there's an easy way to do this, but I've googled a bit this morning 
and can't quite figure it out.

We are running Freeradius with a users file (no database). I have several 
realms defined, each with a fallthrough like so:

DEFAULT Realm == realm1.com
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = None,
        Framed-MTU = 1500,
        Fall-Through = 1

DEFAULT Realm == realm2.com
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = None,
        Framed-MTU = 1500,
        Fall-Through = 1


DEFAULT Realm == realm3.com
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = None,
        Framed-MTU = 1500,
        Fall-Through = 1

I also have these 3 realms defined in the realms file. The way things are 
setup now, username bob could log in as bob at realm1.com or bob at realm2.com or
bob at realm3.com and as long as bob supplied the correct password he would be 
granted access and that's been fine up until now.

What I'ld like to do is to fix it so that only certain usernames could log 
on as username at realm3.com (leave realm1.com and realm2.com as they are). So 
anyone with a correct username/password could log in using realm1.com or 
realm2.com but only bob, jane and alex could log in with  realm3.com.

I suppose I could add an entry in my users file as so:

bob Realm=realm3.com, Auth-Type = Local, Password == xxxxx
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 255.255.255.254,
        Framed-IP-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = None,
        Framed-MTU = 1500

Would that work? How would I define realm3.com earlier in my users file? 
Would this work or is there a better way?

Thanks,

Lisa Casey

More information about the Freeradius-Users mailing list