Geoff Silver wrote:
I've got (what I believe is) an interesting engineering problem to solve. I'm
Hmm - you're right, interesting
options in the NAS to either restrict the NAS-Port that gets used (ie. cert auth would use ports 1-1000 and regular auth would use 1001-2000), nor is there a way to *apply* a realm to a request (only to strip the realm from the request, which doesn't help me). The only thing the NAS can do that is "helpful" is send cert auth requests to a different UDP port than regular auth requests.
"Helpful" in quotes indeed!
a Packet-Src-Port attribute in the freeradius.internal dictionary, but I
I assume you mean Packet-Dst-Port, but yes that would be the way to do it. Looking at it, it appears this is in CVS head but not in my tarball of 1.1.0. doc/variables.txt in a CVS checkout lists Packet-Dst-Port as supported and it's in the xlat_packet function. What I can't figure out is how you might do this: DEFAULT %{request:Packet-Dst-Port}==1234, Autz-Type := "cert" ...i.e. have an expansion on the left hand side. I'm not sure you can, but the code is quite big and I've only scanned it. What you can do (in CVS head) is use the following in the hints file (which is actually quite appropriate): DEFAULT User-Name =~ "^(.*)$" Hint = "%{request:Packet-Dst-Port}" ...the have the "users" file read: DEFAULT Hint=="THEDESTPORT", Auth-Type := Accept ...and of course, add a 2nd listen section to the "radiusd.conf": listen { ipaddr = * port = THEDESTPORT type = auth } You can get more complex if you need to using Autz-Type based on the hint, or whatever. Hope that helps.