Authentication accept/deny based on realm
Hi, I am using freeradius. I currently have two realms setup in mu users file with fallthrough=yes for both of them since the usernames/passwords are also in the users file and I need to be able to match on those. Currently, if username johndoe logs in as johndoe@realm1.com he gets accepted. If he then logs in as johndoe@realm2.com he will also get accepted since freeradius looks at the users file (and the realms file) finds the realm is valid, then goes on down the users file, finds the username/password valid, thus accepting the login. I'ld like to have it so that if johndoe logs in as johndoe@realm1.com he gets authenticated, but if he logs in as johndoe@realm2.com he does not. I'm not sure how to do that. I've googled a bit but didn't come up with anything that looked helpful. If someone could point me in the right direction, I'ld appreciate it. Lisa Casey
Lisa Casey wrote:
I am using freeradius. I currently have two realms setup in mu users file with fallthrough=yes for both of them since the usernames/passwords are also in the users file and I need to be able to match on those. Currently, if username johndoe logs in as johndoe@realm1.com he gets accepted. If he then logs in as johndoe@realm2.com he will also get accepted since freeradius looks at the users file (and the realms file) finds the realm is valid, then goes on down the users file, finds the username/password valid, thus accepting the login.
You have configured both realms to 'strip' the realm name. This means that after the realm matches, "johndoe" *is* the users name. Since you've done this for both realms, it means you've told the server that the unique user identifier is "johndoe", and not "johndoe@realm1.com". The solution is to *not* strip the realm name. You then have to go an update your users file entries to have the full name, including realm. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Lisa Casey