"Tom Whitehouse" <tomw@cs.york.ac.uk> wrote:
This all works, and I now need to check multiple Samba password files and depending on which one contains the users credentials return a VLAN tag to the switch. ... and tried using realms and Autz-Type in the authorize section and changing User-Name to Stripped-User-Name, but this doesn't work with EAP.
There should really be a page in the docs somewhere saying realms are mainly for proxying... In your case, my suggestion is the following: - add 2 new "string" attributes to the dictionary, Something-Group && Something-User - use regular expressions in the "hints" file to match the incoming User-Name, and create Something-Group and Something-User. e.g. DEFAULT User-Name =~ "(.*)x(.*)" Something-Group = `%{1}`, Something-User = `%{2}` Keep the rlm_passwd config, but change the key from User-Name to Something-User. Oh, and delete the "authtype = MS-CHAP" config. It probably should be removed from the server entirely. - in the "users" file, key off of Something-Group... This all presumes that the users log in with realms, so *they* tell the server which group they belong in. Alan DeKok.