<font color='black' size='2' face='arial'>
<div> <pre><font size="2"><font face="Arial, Helvetica, sans-serif">Thank you Fajar.<br>
I added additional argument to the lib pam radius like "realm=192.168.100.10" and this realm is appended to the <br>
user like user@192.168.100.10. This solved my problem.<br>
<br>
Regards,<br>
Sri.<br>
<br>
<br>
<br>
</font></font>On Thu, Feb 11, 2010 at 5:20 PM, <sri.b@aol.in> wrote:<br>
> Now the problem is how to identify a user like root have same name on<br>
> multiple machines.<br>
> For this I observed that this PAM library is sending<br>
> Calling-Station-Id in Access-Request packets.<br>
> I did modify my radcheck table to have entires as following:<br>
> +----+-----------+--------------------+----+----------------+<br>
> | id | UserName | Attribute | op | Value |<br>
> +----+-----------+--------------------+----+----------------+<br>
> | 1 | linuxuser | Password | == | radpwd |<br>
> | 12 | root | Calling-Station-Id | == | 192.168.100.61 |<br>
> | 11 | root | Password | == | 10radpwd |<br>
> | 10 | root | Password | == | 61radpwd |<br>
> | 13 | root | Calling-Station-Id | == | 192.168.70.10 |<br>
> +------------------------------------------------------------------------------<br>
><br>
> But the failed to authenticate.<br>
<br>
That won't work. You're NOT supposed to have different password for<br>
the same user name.<br>
When using a centralized authentication (radius, LDAP, Active<br>
Directory, whatever), a user will use the same password regardless of<br>
other attributes (like Calling-Station-Id).<br>
<br>
<br>
<br>
That being said, freeradius is highly customizable. You could, for<br>
example, use unlang to modify the username to became<br>
"root@192.168.100.10". See<br>
<a rel="nofollow" href="http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00389.html">http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00389.html</a><br>
and <a rel="nofollow" href="http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00468.html">http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00468.html</a><br>
for example. It does the reverse of what you're trying to do, but you<br>
can look at the example to see how you could modify the value of<br>
User-Name in request attribute.<br>
<br>
Another approach would be to use a custom user table (adding another<br>
column, CallingStationId), plus modify queries in dialup.conf so it<br>
says "WHERE username = '%{SQL-User-Name}' AND<br>
CallingStationId='%{Calling-Station-Id}'" instead of just "WHERE<br>
username = '%{SQL-User-Name}' ". Your table would then look something<br>
like this<br>
<br>
+----+-----------+--------------------+----+----------------+---------------------------------+<br>
| id | UserName | Attribute | op | Value |<br>
CallingStationId |<br>
+----+-----------+--------------------+----+----------------+---------------------------------+<br>
| 11 | root | Password | == | 10radpwd | 192.168.100.10 |<br>
| 10 | root | Password | == | 61radpwd | 192.168.100.61 |<br>
<br>
but with this method you need to define ALL calling-station-id and<br>
their corresponding passwords. I consider this a hack though. You<br>
should avoid this unless you ABSOLUTELY know what you're doing, as<br>
you're unlikely to get help from others if you experience problems due<br>
to this "hack".<br>
<br>
<br>
-- <br>
Fajar<br>
<br>
<br>
</pre></div>
<div> <br>
</div>
<div style="clear: both;"></div>
<div> <br>
</div>
<div> <br>
</div>
<div style="font-family: arial,helvetica; font-size: 10pt; color: black;">-----Original Message-----<br>
From: sri.b@aol.in<br>
To: freeradius-users@lists.freeradius.org<br>
Sent: Thu, 11 Feb 2010 3:50 pm<br>
Subject: radius for linux authentication<br>
<br>
<div id="AOLMsgPart_2_8d824408-db08-4e1b-8887-067dda2c15a0">
<font color="black" face="arial" size="2">
<div> <br>
</div>
<div> <font size="2"><font face="Arial, Helvetica, sans-serif">Hi List,<br>
<br>
I have configured my linux devices to use freeRadius (freeRadius 1.1.5 with MySQL backend) authentication.<br>
Installation of pam library went well and am able to get authenticated against my freeRadius server.<br>
Now the problem is how to identify a user like root have same name on multiple machines. For this I observed that this PAM library is sending Calling-Station-Id in Access-Request packets.<br>
I did modify my radcheck table to have entires as following:<br>
+----+-----------+--------------------+----+----------------+<br>
| id | UserName | Attribute | op | Value |<br>
+----+-----------+--------------------+----+----------------+<br>
| 1 | linuxuser | Password | == | radpwd |<br>
| 12 | root | Calling-Station-Id | == | 192.168.100.61 |<br>
| 11 | root | Password | == | 10radpwd |<br>
| 10 | root | Password | == | 61radpwd |<br>
| 13 | root | Calling-Station-Id | == | 192.168.70.10 |<br>
+------------------------------------------------------------------------------<br>
<br>
But the failed to authenticate. <br>
<br>
Please suggest what could be the problem, ASAP.<br>
Also, are there any other ways to handle this kind of situation.<br>
<br>
<br>
Appreciate your help.<br>
<br>
Regards,<br>
Sri.<br>
<br>
</font></font></div>
<div style="clear: both;"></div>
</font>
</div>
<!-- end of AOLMsgPart_2_8d824408-db08-4e1b-8887-067dda2c15a0 -->
</div>
</font>