Realm question..

TS tony at thewordzone.co.uk
Tue Apr 25 07:43:39 CEST 2006


>> Is there a way of getting radius to authenicate on the username before
>>the @ sign and ignore the realm?

>  Yes, but you have to edit the "users" file to get rid of the
>"@realm" portion, and configure the realms as LOCAL ones.

The object is to not to have to configure any realms as local.
So that Radius will try to auth any realm that isn't to be proxied.
If I have a user whose username is user1 at arealm.com I can easily specify
arealm.com as local. But if by mistake the user types the username as
user1 at brealm.com auth will just fail because the realm isn't specified in
proxy.conf.


>  What does debugging mode say?


Exactly what you'd expect it to say if the realm isn't in proxy.conf:

#####
rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, length=68
        User-Name = "user1 at arealm.com"
        User-Password = "acc355"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 1645
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: Looking up realm "arealm.com" for User-Name =
"user1 at arealm.com"
    rlm_realm: No such realm "arealm.com"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
  modcall[authorize]: module "files" returns notfound for request 2
modcall: group authorize returns ok for request 2
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [user1 at arealm.com/acc355] (from client localhost port 1645)
Delaying request 2 for 1 seconds
Finished request 2
######

The user doesn't exist as the entry in users just has the username as
"user1" and the request is sending user1 at arealm.com.

I want radius to first check to see if the request needs to be proxied.
If not then authenticate it locally no matter what the realm is but before
authenticating it strip off the realm and just use everything before the @
sign as the username.


Tony







More information about the Freeradius-Users mailing list