Hi, I have Freeradius 1.1.6 running on FreeBSD. I authenticate users from a users file, not from a database. I have three default realms setup in the realms file and at the top of the users file like so: DEFAULT Realm == jellico.net Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 DEFAULT Realm == jellico.com Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 Then a list of users follows. Here's one example: lisa Auth-Type = Local, Password == xxxxxxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Slipstream-Auth = "true" The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as lisa@jellico.com and then turn around and login as lisa@jellico.net My boss would like me to restrict this so that (for example) lisa could log in as lisa@jellico.com but not lisa@jellico.net With my setup, can I do this easily (or at all)? If this is possible, please give me some idea of how to go about doing this. Thanks, Lisa Casey
Hi,
DEFAULT Realm == jellico.net Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1
DEFAULT Realm == jellico.com Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1
Then a list of users follows. Here's one example:
lisa Auth-Type = Local, Password == xxxxxxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Slipstream-Auth = "true"
The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as lisa@jellico.com and then turn around and login as lisa@jellico.net My boss would like me to restrict this so that (for example) lisa could log in as lisa@jellico.com but not lisa@jellico.net
With my setup, can I do this easily (or at all)? If this is possible, please give me some idea of how to go about doing this.
use the realms as check items for example lisa Realm == jellico.com Auth-Type := Local, Cleartext-Password := xxxxxxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Slipstream-Auth = "true" lisa Realm == jellico.net Auth-Type := Reject, Cleartext-Password := xxxxxxx alan
Hi Alan,
use the realms as check items for example
lisa Realm == jellico.com Auth-Type := Local, Cleartext-Password := xxxxxxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Slipstream-Auth = "true"
lisa Realm == jellico.net Auth-Type := Reject, Cleartext-Password := xxxxxxx
alan
Very good. I wondered if that could be done that way, but wasn't sure. Thanks. Lisa
On Thursday 08 November 2007 11:19:48 Lisa Casey wrote:
The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as lisa@jellico.com and then turn around and login as lisa@jellico.net My boss would like me to restrict this so that (for example) lisa could log in as lisa@jellico.com but not lisa@jellico.net
Just add a check item to the user entry and it will only allow them from that realm. Since you are using 1.1.6, don't use Auth-Type and start using Cleartext-Password with the := operator. lisa Cleartext-Password := "xxxxxxx", Realm == "jellico.com" ... Or if you want to reject from a specific realm, just use this before your real user entry: lisa Realm == "realmY", Auth-Type := Reject Kevin Bonner
To add on this, also have all the common attributes in a single default entry: DEFAULT Service-Type = Framed-User Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 User entries can then become one-liners, like in Kevin's example, and you don't even need those DEFAULT entries for realms. Ivan Kalik Kalik Informatika ISP Dana 8/11/2007, "Kevin Bonner" <keb@pa.net> piše:
On Thursday 08 November 2007 11:19:48 Lisa Casey wrote:
The way things are setup now, any user can log in with any of the realms I have defined. For example, I (username lisa) could login as lisa@jellico.com and then turn around and login as lisa@jellico.net My boss would like me to restrict this so that (for example) lisa could log in as lisa@jellico.com but not lisa@jellico.net
Just add a check item to the user entry and it will only allow them from that realm. Since you are using 1.1.6, don't use Auth-Type and start using Cleartext-Password with the := operator.
lisa Cleartext-Password := "xxxxxxx", Realm == "jellico.com" ...
Or if you want to reject from a specific realm, just use this before your real user entry: lisa Realm == "realmY", Auth-Type := Reject
Kevin Bonner
Hi, So I have a plan to use ldap to generally set attributes and use those attributes to set multiple specific attributes in radius. example: ldap server -> radius -> VPN vpngroup -> vpn filter and vpn tunnel and dhcp scope - > vpn does that make sense to do in the users file? could someone give me a general example of how they would try to do it? I was thinking in the ldap mapping file of adding a check item vpngroup (or whatever) and then using the users file to match off of that to set a reply of what i am looking for.... Joe Vieira UNIX Systems Administrator Clark University - ITS
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Joe Vieira -
Kevin Bonner -
Lisa Casey -
tnt@kalik.co.yu