how to manage dynamic list of realms

Alan DeKok aland at deployingradius.com
Fri Sep 7 13:46:01 CEST 2018 

On Sep 7, 2018, at 3:10 AM, Gil Sudai <gilsudai at gmail.com> wrote:
> I am planning following solution:  A system where companies (aka realm in
> radius?) can be added or remove dynamically. And for each company there is
> a dynamic list of users. For example user at comp-1com, user at comp-2.com, etc.

  That's simple to do.

> Users will authenticate with name and password.
> 
> I would like tips and pointers for further reading regarding the following
> questions:
> 
> - Is it possible to add & remove a company (realm?) dynamically without
> restarting the radius server?

  Yes and no.  If you use the proxy.conf file to define realms, it will only be re-read when the server starts.

  But you don't need to define realms there.  The realms are defined there only for ease of proxying.  If you're not proxying, you can define realms anywhere.

> - How to setup the radius to support multiple (dynamic) realms?

  Match the username as a regular expression. Parse the realm off that way.  Put the realms into a separate DB table:

	if (User-Name =~ /^([^@]+)@([^@+)$/) {
		update request {
			Stripped-User-Name := "%{1}"
			Realm := "%{2}"
		}
	}

  Then, look the realm up in an SQL table.  You will have to create this table yourself, and customize the query:

	#
	#  Realms NOT in the able get rejected
	#
	if ("{%sql:SELECT realm FROM realmstable WHERE realm = '%{Realm}'}" == "") {
		reject
	}

> - I want to put the users in postgresql db. When a user is added to a
> company my code will add it to the db. To store all users from all realms
> will be in a single db table (realm would be a column) or in different db
> tables?

  However you want.  Once you have verified that the realm is known, you can structure SQL any way you want.

  You can edit the SQL queries in mods-config/sql/main/... to include the %{Realm} attribute as part of the table name.

  Then, create a table for each realm:  radcheck_example.com, radreply_example.com, radacct_example.com, etc.

> - do I need to use virtual servers for that or only realms?

  You don't need different virtual servers.

  Alan DeKok.

More information about the Freeradius-Users mailing list