Authenticate users from multiple realms on the same NAS
Hi, I've been using GNU-RADIUS and asked this question on the GNU-RADIUS list last week but didn't get any responses. The ISP I work for has recently aquired two other local ISPs. None of the ISPs have their customers setup to authenticate with username@realm. I need to merge dial-up numbers and bring the DSL aggregation together in order to reduce costs. That means, I will have potentially three users with the username of "bob" trying to login on the same NAS box with no way to tell which one they are other than the password the user supplies. The NAS address and everything else I can think of will be the same for all users. (we lack caller-id features). Is it possible to setup radius to authenticate these users? I'm willing to switch RADIUS servers if someone has a nifty module that makes magic happen. I've been skimming through the FreeRADIUS mailing list and trying to search google for pointers on how to accomplish this. Unfortunately, the search terms I have been trying are pretty much useless. "multiple realms", "multiple domains" combined with or without "one NAS", "same NAS" ... If anyone has pointers to documentation that tells me why it can't be done or how to do it, or even a "hey stupid, it's not that complicated", I would appreciate the help. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org
Scott Lambert <lambert@lambertfam.org> wrote:
I've been using GNU-RADIUS and asked this question on the GNU-RADIUS list last week but didn't get any responses.
They haven't had a release for 2 years now...
I need to merge dial-up numbers and bring the DSL aggregation together in order to reduce costs. That means, I will have potentially three users with the username of "bob" trying to login on the same NAS box with no way to tell which one they are other than the password the user supplies. The NAS address and everything else I can think of will be the same for all users. (we lack caller-id features).
Yuck.
Is it possible to setup radius to authenticate these users? I'm willing to switch RADIUS servers if someone has a nifty module that makes magic happen.
If your users are in LDAP, it's actually pretty easy, so long as they're all doing PAP authentication. FreeRADIUS has the ability to run multiple modules, depending on the return codes from a module. See doc/configurable_failover. The short answer is that if you have 3 LDAP databases, you can do something like: authenticate { ... Auth-Type any_is_ok { ldap1 { reject = 1 notfound = 2 ok = return } ldap2 { reject = 1 notfound = 2 ok = return } ldap3 } ... } This says "if they're not found in LDAP1, or if their password is wrong, try LDAP2, or try LDAP3". If your users aren't in LDAP, the same kind of thing can be done with another module, but it's a little more work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Thu, Aug 10, 2006 at 05:26:39PM -0400, Alan DeKok wrote:
Scott Lambert <lambert@lambertfam.org> wrote:
I need to merge dial-up numbers and bring the DSL aggregation together in order to reduce costs. That means, I will have potentially three users with the username of "bob" trying to login on the same NAS box with no way to tell which one they are other than the password the user supplies. The NAS address and everything else I can think of will be the same for all users. (we lack caller-id features).
Yuck.
Is it possible to setup radius to authenticate these users? I'm willing to switch RADIUS servers if someone has a nifty module that makes magic happen.
If your users are in LDAP, it's actually pretty easy, so long as they're all doing PAP authentication. FreeRADIUS has the ability to run multiple modules, depending on the return codes from a module. See doc/configurable_failover.
The short answer is that if you have 3 LDAP databases, you can do something like:
authenticate { ... Auth-Type any_is_ok { ldap1 { ... } ... ldap3 } ... }
This says "if they're not found in LDAP1, or if their password is wrong, try LDAP2, or try LDAP3".
That looks very cool.
If your users aren't in LDAP, the same kind of thing can be done with another module, but it's a little more work.
Actually, I have one set of users in password files, one in msql, and one in MS SQL. I was thinking about putting everything into mysql/postgresql databases. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org
Scott Lambert <lambert@lambertfam.org> wrote:
I was thinking about putting everything into mysql/postgresql databases.
That gets a little harder, because you effectively have 3 passwords for the user, and want any one of them to work. Th eserver sn't really set up to do that right now... It could be done with a little bit of work, which isn't hard, but it's a rare enough request that it hasn't been done until now. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Le Fri, Aug 11, 2006 at 02:48:33PM -0400, Alan DeKok ecrivait:
Scott Lambert <lambert@lambertfam.org> wrote:
I was thinking about putting everything into mysql/postgresql databases.
That gets a little harder, because you effectively have 3 passwords for the user, and want any one of them to work. Th eserver sn't really set up to do that right now...
It could be done with a little bit of work, which isn't hard, but it's a rare enough request that it hasn't been done until now.
I would do it that way: I would use hints file to rewrite the User-Name depending on the Called-Station-ID and Medium-Type. This way you could: - rewrite dialup user bob into bob@isp1 when Called-Station-Id is present - rewrite DSL user bob into@isp2 when Called-Station-Id isn't present This way you can have bob@isp1 and bob@isp2 into the same database without any problem. It's a bit tricky, any easier way Alan ? Regards, Fox.
Francois-Xavier GAILLARD <fx.gaillard@thefox.com.fr> wrote:
It's a bit tricky, any easier way Alan ?
I'm not sure... the main problem is that multiple people with the same name are dialing into the same NAS equipment. So they really are the "same" person, but with many possible valid passwords. It's a hard problem to solve cleanly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Le Fri, Aug 11, 2006 at 06:09:21PM -0400, Alan DeKok ecrivait:
Francois-Xavier GAILLARD <fx.gaillard@thefox.com.fr> wrote:
It's a bit tricky, any easier way Alan ?
I'm not sure... the main problem is that multiple people with the same name are dialing into the same NAS equipment. So they really are the "same" person, but with many possible valid passwords.
It's a hard problem to solve cleanly.
And I'm not even sure my solution works. It's easy to look for Called-Station-Id, but how would one look for Called-Station-Id if it's not there (DSL users). Maybe he should configure the NASes to send different NAS-IP-Address according to wheter it's a dialup user or a DSL user, using different loopback addresses, and then rewrite User-Name using NAS-IP-Address attribute. Regards, Fox.
On Sat, Aug 12, 2006 at 01:06:38AM +0200, Francois-Xavier GAILLARD wrote:
Le Fri, Aug 11, 2006 at 06:09:21PM -0400, Alan DeKok ecrivait:
Francois-Xavier GAILLARD <fx.gaillard@thefox.com.fr> wrote:
It's a bit tricky, any easier way Alan ?
I'm not sure... the main problem is that multiple people with the same name are dialing into the same NAS equipment. So they really are the "same" person, but with many possible valid passwords.
It's a hard problem to solve cleanly.
And I'm not even sure my solution works. It's easy to look for Called-Station-Id, but how would one look for Called-Station-Id if it's not there (DSL users).
Maybe he should configure the NASes to send different NAS-IP-Address according to wheter it's a dialup user or a DSL user, using different loopback addresses, and then rewrite User-Name using NAS-IP-Address attribute.
I proabably wasn't clear, it's not the same NAS for DSL and dialup. However, it is (going to be) the same NAS for DSL at all three ISPs. Also, it will be the same, different, NAS for dialup in the towns where coverage overlaps. We have to use DS1s for dial in these areas and they don't have caller id features so there is no Called-Station-Id. Would I be able to setup three mysql entries in the way that Alan suggested for the LDAP setup, but with a different query specified for each realm which includes the realm in the selection criteria of query? I need to find some time to get a test install up. Or hire somebody to build the initial config for me. I just don't know how the accounting will hold together with any solution. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org
Scott Lambert <lambert@lambertfam.org> wrote:
Would I be able to setup three mysql entries in the way that Alan suggested for the LDAP setup, but with a different query specified for each realm which includes the realm in the selection criteria of query?
If the users are logging in with different realms (i.e. bob@foo, bob@bar), then there's no problem. It's easy to do, just key off of the realms. If you have 3 users logging in as "bob", each with different passwords, then it's hard. Just putting different MySQL entries won't work.
I just don't know how the accounting will hold together with any solution.
"Class". Send a Class attribute back in the Access-Accept with some kind of unique identifier for the user. e.g. a numerical ID, or something that uniquely identifies them. The Class attribute will come back in the accounting packets, and you can use that to tell which user to bill. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Francois-Xavier GAILLARD -
Scott Lambert