Authenticate users from multiple realms on the same NAS

Scott Lambert lambert at
Fri Aug 11 07:41:13 CEST 2006

On Thu, Aug 10, 2006 at 05:26:39PM -0400, Alan DeKok wrote:
> Scott Lambert <lambert at> wrote:
> > I need to merge dial-up numbers and bring the DSL aggregation together
> > in order to reduce costs.  That means, I will have potentially three
> > users with the username of "bob" trying to login on the same NAS box
> > with no way to tell which one they are other than the password the user
> > supplies.  The NAS address and everything else I can think of will be
> > the same for all users. (we lack caller-id features).
>   Yuck.
> > Is it possible to setup radius to authenticate these users?  I'm willing
> > to switch RADIUS servers if someone has a nifty module that makes magic
> > happen.
>   If your users are in LDAP, it's actually pretty easy, so long as
> they're all doing PAP authentication.  FreeRADIUS has the ability to
> run multiple modules, depending on the return codes from a module.
> See doc/configurable_failover.
>   The short answer is that if you have 3 LDAP databases, you can do
> something like:
> authenticate {
>   ...
>   Auth-Type any_is_ok {
> 	    ldap1 {
> 	    }
> 	    ldap3 
>   }
>   ...
> }
>   This says "if they're not found in LDAP1, or if their password is
> wrong, try LDAP2, or try LDAP3".

That looks very cool.
>   If your users aren't in LDAP, the same kind of thing can be done
> with another module, but it's a little more work.

Actually, I have one set of users in password files, one in msql, and
one in MS SQL.

I was thinking about putting everything into mysql/postgresql databases.
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at

More information about the Freeradius-Users mailing list