Authenticate users from multiple realms on the same NAS

Alan DeKok aland at
Thu Aug 10 23:26:39 CEST 2006

Scott Lambert <lambert at> wrote:
> I've been using GNU-RADIUS and asked this question on the GNU-RADIUS
> list last week but didn't get any responses.

  They haven't had a release for 2 years now...

> I need to merge dial-up numbers and bring the DSL aggregation together
> in order to reduce costs.  That means, I will have potentially three
> users with the username of "bob" trying to login on the same NAS box
> with no way to tell which one they are other than the password the user
> supplies.  The NAS address and everything else I can think of will be
> the same for all users. (we lack caller-id features).


> Is it possible to setup radius to authenticate these users?  I'm willing
> to switch RADIUS servers if someone has a nifty module that makes magic
> happen.

  If your users are in LDAP, it's actually pretty easy, so long as
they're all doing PAP authentication.  FreeRADIUS has the ability to
run multiple modules, depending on the return codes from a module.
See doc/configurable_failover.

  The short answer is that if you have 3 LDAP databases, you can do
something like:

authenticate {
  Auth-Type any_is_ok {
	    ldap1 {
		  reject = 1
		  notfound = 2
		  ok = return
	    ldap2 {
		  reject = 1
		  notfound = 2
		  ok = return


  This says "if they're not found in LDAP1, or if their password is
wrong, try LDAP2, or try LDAP3".

  If your users aren't in LDAP, the same kind of thing can be done
with another module, but it's a little more work.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list