How to reject when a user logs in without realm?
Hi, I am new to radius . hence kindly excuse if my terminologies are different from what is expected. I am using Freeradius Version 1.1.7. Is it possible to reject when a request comes from the NAS server with a user logging in without a realm as suffix? For example, if the FreeRadius server receives an authentication request for the user navin , it has to reject. but if it receives the request as navin@freescale.com it has to authenticate him. I tried the below options: I am not using the proxy request support. Hence commenting proxy.conf file and setting proxy_requests = no in the radiusd.conf file. Added the below in the radiusd.conf file with the intention that users of realm freescale.com has to be authenticated and other users should be rejected. realm freescale.com { type = radius authhost = LOCAL accthost = LOCAL } realm NULL { type = radius authhost = LOCAL accthost = LOCAL secret = test } In the radiusd.conf under the section realm module config options ignore_null = yes ignore_default = yes for user@realm. In the users file, added navin@freescale.com Cleartext-Password := "navin123" meaning authenticate navin having a password navin123. But what i observed is, i get authenticated when i login as navin and also as navin@freescale.com . This has been verified with the radtest client program which came along with the freeradius server. Kindly do let me know if the user can be rejected access if he logs in without realm. have a nice day, navin
I am new to radius . hence kindly excuse if my terminologies are different from what is expected.
I am using Freeradius Version 1.1.7. Is it possible to reject when a request comes from the NAS server with a user logging in without a realm as suffix?
For example, if the FreeRadius server receives an authentication request for the user navin , it has to reject. but if it receives the request as navin@freescale.com it has to authenticate him.
I tried the below options:
I am not using the proxy request support. Hence commenting proxy.conf file and setting proxy_requests = no in the radiusd.conf file.
Added the below in the radiusd.conf file with the intention that users of realm freescale.com has to be authenticated and other users should be rejected.
realm freescale.com { type = radius authhost = LOCAL accthost = LOCAL }
Remove that. Your user file entry will sort out who gets authenticated and who doesn't. Ivan Kalik Kalik Informatika ISP
Hi, Hope you are referring to realm freescale.com { type = radius authhost = LOCAL accthost = LOCAL present in the radiusd.conf file. removed it. Restarted the freeradius server. The user file contains navin@freescale.com Cleartext-Password := "navin123" Even then when tested with radtest tool , the users "navin" & "navin@freescale.com" are both getting authenticated. I would prefer only navin@freescale.com get authenticated and user "navin" should get rejected. have a nice day, navin At 07:37 PM 7/15/2009, you wrote:
I am new to radius . hence kindly excuse if my terminologies are different from what is expected.
I am using Freeradius Version 1.1.7. Is it possible to reject when a request comes from the NAS server with a user logging in without a realm as suffix?
For example, if the FreeRadius server receives an authentication request for the user navin , it has to reject. but if it receives the request as navin@freescale.com it has to authenticate him.
I tried the below options:
I am not using the proxy request support. Hence commenting proxy.conf file and setting proxy_requests = no in the radiusd.conf file.
Added the below in the radiusd.conf file with the intention that users of realm freescale.com has to be authenticated and other users should be rejected.
realm freescale.com { type = radius authhost = LOCAL accthost = LOCAL }
Remove that. Your user file entry will sort out who gets authenticated and who doesn't.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hope you are referring to realm freescale.com { type = radius authhost = LOCAL accthost = LOCAL
present in the radiusd.conf file. removed it. Restarted the freeradius server.
The user file contains navin@freescale.com Cleartext-Password := "navin123"
Even then when tested with radtest tool , the users "navin" & "navin@freescale.com" are both getting authenticated. I would prefer only navin@freescale.com get authenticated and user "navin" should get rejected.
There is something else there then as well. Post the debug for navin. You can probably safely disable suffix as well. But lets first see what is stripping the username. There is nothing in the default configuration that does that. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
Navin