<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">I have a Multi Tennant VPN gateway that I terminate multiple customers on. If I authenticate sessions to local database on router there is no segregation, so
one customer can authenticate to another customers VPN (inserting the connection into that specific VRF) with any local username password on the router. I can source radius auth requests from IP’s specific to individual customer VRF’s and need to use a segregated
username password database to service these requests. I would like the solution to be able to scale to at least 100 clients that use individual username/password files. Is the solution you recommended above the best way to handle this.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">For the pap configuration in the model I tried to get working I copied the default file in sites-available and the only changes I made were adding server smoothtest
{ … } and changing files to second_files in authorize { … } and preacct { … }. Did this cause the pap authentication to break?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">So I can understand what you are suggesting:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">- create multiple instances of the "files" module, one for each client.
<br>
<br>
- name them after the clients, so that you can keep track of which <br>
module matches which client. i.e. name them after the client IP <br>
address, for simplicity. i.e. <br>
<br>
files files_192.168.1.2 { <br>
... <br>
} <br>
<br>
<span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Are you saying make multiple instances inside the existing files module, like how “second_files” was created, or copy the files module multiple times to creating
client specifi file names and modify its content to files files_192.168.1.2 { .
</span><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#365F91"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">- select them dynamically at run-time via a "switch" statement.
<br>
<br>
- i.e. remove the "files" reference from "authorize", and replace it <br>
with a switch: <br>
<br>
switch "%{Client-IP-Address}" { <br>
case { <br>
files <br>
} <br>
<br>
case 192.168.1.2 { <br>
files_192.168.1.2 <br>
} <br>
<br>
... <br>
} .<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><br>
<span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">If I use the above I would only need to add the :<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">
<o:p></o:p></span></p>
<p class="MsoNormal">case 192.168.1.2 { <br>
files_192.168.1.2<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#244061">section for each additional client correct and files module created right?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#244061"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#244061">For this method I should remove the virtual server I created and add the lines you suggest to the default file in sites-available in the authorize section?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#244061"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#244061">Thanks for the help.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Alan DeKok-2 [via FreeRADIUS] [mailto:ml-node+s1045715n5720335h18@n5.nabble.com]
<br>
<b>Sent:</b> Wednesday, May 22, 2013 10:17 AM<br>
<b>To:</b> Vincent Rusilowicz<br>
<b>Subject:</b> Re: Virtual server setup<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Vincent Rusilowicz wrote: <br>
> I have reloaded the server and started from scratch again. I was able <br>
> to authenticate with the default config, when adding client and user <br>
> info. In my effort to try and convert each client to use a separate <br>
> virtual so separate user files <br>
<br>
You still haven't explained *why* you need that. You're focusing on a <br>
solution. Instead, talk about the problem. Maybe there's another <br>
solution which is better. <br>
<br>
> can be used I am not able to <br>
> authenticate. I see the auth attempt match an entry in my second_users <br>
> file, but I get a WARNING message. <br>
<br>
Yes, because you butchered the configuration, and broke it. You <br>
deleted the "pap" module from the "authenticate" section. <br>
<br>
Why? Just... why? What possible benefit is there from destroying the <br>
"authenticate" section? <br>
<br>
If you *do* want "users" files which are unique per client, there are <br>
a few ways to do it. The choice of solutions can depend on how many <br>
clients you have. <br>
<br>
One way may be this: <br>
<br>
- create multiple instances of the "files" module, one for each client. <br>
<br>
- name them after the clients, so that you can keep track of which <br>
module matches which client. i.e. name them after the client IP <br>
address, for simplicity. i.e. <br>
<br>
files files_192.168.1.2 { <br>
... <br>
} <br>
<br>
- select them dynamically at run-time via a "switch" statement. <br>
<br>
- i.e. remove the "files" reference from "authorize", and replace it <br>
with a switch: <br>
<br>
switch "%{Client-IP-Address}" { <br>
case { <br>
files <br>
} <br>
<br>
case 192.168.1.2 { <br>
files_192.168.1.2 <br>
} <br>
<br>
... <br>
} <br>
<br>
And don't change *anything* else. Butchering random things in the <br>
configuration files is a guaranteed way to break the server. <br>
<br>
Alan DeKok. <br>
- <br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_top">
http://www.freeradius.org/list/users.html</a><br>
<br>
<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" noshade="" style="color:#CCCCCC" align="center">
</div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:9.0pt;font-family:"Tahoma","sans-serif";color:#444444">If you reply to this email, your message will be added to the discussion below:<o:p></o:p></span></b></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Tahoma","sans-serif";color:#444444"><a href="http://freeradius.1045715.n5.nabble.com/Virtual-server-setup-tp5720304p5720335.html">http://freeradius.1045715.n5.nabble.com/Virtual-server-setup-tp5720304p5720335.html</a>
<o:p></o:p></span></p>
</div>
<div style="margin-top:4.8pt">
<p class="MsoNormal" style="line-height:18.0pt"><span style="font-size:8.5pt;font-family:"Tahoma","sans-serif";color:#666666">To unsubscribe from Virtual server setup,
<a href="http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5720304&code=dnJ1c2lsb3dpY3pAd2VzdGlwYy5jb218NTcyMDMwNHw0MjEzOTIwOTc=">
click here</a>.<br>
<a href="http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml"><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">NAML</span></a>
<o:p></o:p></span></p>
</div>
</div>
</body>
</html>