radius for linux authentication

Fajar A. Nugraha fajar at fajar.net
Thu Feb 11 12:34:18 CET 2010


On Thu, Feb 11, 2010 at 5:20 PM,  <sri.b at aol.in> wrote:
> Now the problem is how to identify a user like root have same name on
> multiple machines.
> For this I observed that this PAM library is sending
> Calling-Station-Id in Access-Request packets.
> I did modify my radcheck table to have entires as following:
> +----+-----------+--------------------+----+----------------+
> | id | UserName  | Attribute          | op | Value          |
> +----+-----------+--------------------+----+----------------+
> |  1 | linuxuser | Password           | == | radpwd         |
> | 12 | root      | Calling-Station-Id | == | 192.168.100.61 |
> | 11 | root      | Password           | == | 10radpwd       |
> | 10 | root      | Password           | == | 61radpwd       |
> | 13 | root      | Calling-Station-Id | == | 192.168.70.10  |
> +------------------------------------------------------------------------------
>
> But the failed to authenticate.

That won't work. You're NOT supposed to have different password for
the same user name.
When using a centralized authentication (radius, LDAP, Active
Directory, whatever), a user will use the same password regardless of
other attributes (like Calling-Station-Id).



That being said, freeradius is highly customizable. You could, for
example, use unlang to modify the username to became
"root at 192.168.100.10". See
http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00389.html
and http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00468.html
for example. It does the reverse of what you're trying to do, but you
can look at the example to see how you could modify the value of
User-Name in request attribute.

Another approach would be to use a custom user table (adding another
column, CallingStationId), plus modify queries in dialup.conf so it
says "WHERE username = '%{SQL-User-Name}' AND
CallingStationId='%{Calling-Station-Id}'" instead of just "WHERE
username = '%{SQL-User-Name}' ". Your table would then look something
like this

 +----+-----------+--------------------+----+----------------+---------------------------------+
 | id | UserName  | Attribute          | op | Value          |
CallingStationId |
 +----+-----------+--------------------+----+----------------+---------------------------------+
 | 11 | root      | Password           | == | 10radpwd       | 192.168.100.10 |
 | 10 | root      | Password           | == | 61radpwd       | 192.168.100.61 |

but with this method you need to define ALL calling-station-id and
their corresponding passwords. I consider this a hack though. You
should avoid this unless you ABSOLUTELY know what you're doing, as
you're unlikely to get help from others if you experience problems due
to this "hack".


-- 
Fajar




More information about the Freeradius-Users mailing list