duplicate usernames across multiple NAS that belong to different users

Alan DeKok aland at deployingradius.com
Wed Sep 1 00:13:05 CEST 2021


On Aug 31, 2021, at 12:20 PM, Jonathan Davis <jonathan at prioritycolo.com> wrote:
> User1 on NAS1 has the username "user45"
> 
> User2 on NAS2 has the same username "user45"

  Generally this is done with different RADIUS servers, but FreeRADIUS can do this.

> We're using Yubikeys and SQL for 2FA/MFA, and I've got the Yubikey mappings sorted based in the clients.conf for each NAS
> 
> For SQL I can see multiple ways of doing this.
> 
> Add something (e.g NAS shortname) to the supplied username to match unique usernames in SQL

  Read sites-available/README.  You can use virtual servers to handle this.

  Create two virtual servers, let's say "server1" and "server2".  Start them off as copies of the "default" server, but without the "listen" sections.

  You'll also need to edit the client definition, to tell FreeRADIUS to send all packets from the client to a particular virtual server:

client nas1 {
	...
	virtual_server = server1


client nas2 {
	...
	virtual_server = server2

> Use different SQL dbs for each NAS or Virtual Server (not a fan of this but it is an option)

  Use different *tables*.  You'll need two copies of the SQL module.

  Create mods-enabled/sql1, and mods-enabled/sql2, both as copies of mods-available/sql

  Then change the names from:

	sql {
		...

  to:

	sql sql1 {
		...

  And also change the RADIUS database used in one (or both) files, from:

	radius_db = "radius"

  to:

	radius_db = "radius1"

  You'll have to create the DB and the tables, see mods-config/sql/main/mysql/schema.sql for what to do.

  Then also edit the virtual servers "server1" and "server2".  Where they say "sql", change that to "sql1" for server1, and "sql2" for server2.  This should be at least in the "authorize" section, and the "accounting" section, and "post-auth" if you're using SQL there.

  There's a few critical changes, but none of them are complex or difficult.  You just have to know what to do.  :)

> Write some custom SQL queries and tables so that usernames are linked to groups via an index instead of usernames, this wouldn't be hard but not don't know if different SQL servers can use different SQL queries (Is it as simple as changing which query.conf to import?).

  When you make the above changes, you effectively have 3 virtual servers:

* default - packets from most clients go here
* server1 - packets from NAS1 go here
* server2 - packets from NAS2 go here

  And you also have 2 SQL databases, with separate tables for each set of users.

  The benefit of this approach is that you end up with pretty standard SQL schema, tables, etc.  You don't need to mangle the usernames, or edit the queries, or do anything special.  In fact, the two different SQL modules can continue to use the same queries!

  Alan DeKok.




More information about the Freeradius-Users mailing list