On Thu, Feb 11, 2010 at 5:20 PM, <sri.b@aol.in> wrote:
Now the problem is how to identify a user like root have same name on multiple machines. For this I observed that this PAM library is sending Calling-Station-Id in Access-Request packets. I did modify my radcheck table to have entires as following: +----+-----------+--------------------+----+----------------+ | id | UserName | Attribute | op | Value | +----+-----------+--------------------+----+----------------+ | 1 | linuxuser | Password | == | radpwd | | 12 | root | Calling-Station-Id | == | 192.168.100.61 | | 11 | root | Password | == | 10radpwd | | 10 | root | Password | == | 61radpwd | | 13 | root | Calling-Station-Id | == | 192.168.70.10 | +------------------------------------------------------------------------------
But the failed to authenticate.
That won't work. You're NOT supposed to have different password for the same user name. When using a centralized authentication (radius, LDAP, Active Directory, whatever), a user will use the same password regardless of other attributes (like Calling-Station-Id). That being said, freeradius is highly customizable. You could, for example, use unlang to modify the username to became "root@192.168.100.10". See http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00389... and http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00468... for example. It does the reverse of what you're trying to do, but you can look at the example to see how you could modify the value of User-Name in request attribute. Another approach would be to use a custom user table (adding another column, CallingStationId), plus modify queries in dialup.conf so it says "WHERE username = '%{SQL-User-Name}' AND CallingStationId='%{Calling-Station-Id}'" instead of just "WHERE username = '%{SQL-User-Name}' ". Your table would then look something like this +----+-----------+--------------------+----+----------------+---------------------------------+ | id | UserName | Attribute | op | Value | CallingStationId | +----+-----------+--------------------+----+----------------+---------------------------------+ | 11 | root | Password | == | 10radpwd | 192.168.100.10 | | 10 | root | Password | == | 61radpwd | 192.168.100.61 | but with this method you need to define ALL calling-station-id and their corresponding passwords. I consider this a hack though. You should avoid this unless you ABSOLUTELY know what you're doing, as you're unlikely to get help from others if you experience problems due to this "hack". -- Fajar