My question was more of where that configuration should live. I can see that you can do attribute checks in the users file, but I am not sure the realm is being set to any attribute... I can see in the debug messages: rad_recv: Access-Request packet from host 127.0.0.1 port 53888, id=132, length=95 User-Name = "user@realm" User-Password = "password!" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 ... Tue Oct 12 07:38:54 2010 : Info: [IPASS] No '/' in User-Name = " user@realm", looking up realm NULL Tue Oct 12 07:38:54 2010 : Info: [IPASS] No such realm "NULL" Tue Oct 12 07:38:54 2010 : Info: ++[IPASS] returns noop Tue Oct 12 07:38:54 2010 : Info: [suffix] Looking up realm "realm" for User-Name = " user@realm" Tue Oct 12 07:38:54 2010 : Info: [suffix] No such realm "realm" Tue Oct 12 07:38:54 2010 : Info: ++[suffix] returns noop But I never see an attribute being set to the realm. Do I have to explicitly define that somewhere in order to do a check in the users file? Or, is there a better place to do this check (possibly in an IPASS configuration of suffix configuration)? From: Alan DeKok <aland@deployingradius.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Date: Tue, 12 Oct 2010 01:08:14 -0400 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Defining an Auth-Type based on a realm Mathew Rowley wrote:
Is there a typical way to set an Auth-Type := Kerberos¹ when a user is part of a specific realm? For testing purposes, I am able to add this to the users¹ file:
DEFAULT Auth-Type := Kerberos
But, will need something based on realm in the future.
You can do comparisons on the Realm, too. It's just another attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html