Authenticate users from multiple realms on the same NAS
Scott Lambert
lambert at lambertfam.org
Fri Aug 11 07:41:13 CEST 2006
On Thu, Aug 10, 2006 at 05:26:39PM -0400, Alan DeKok wrote:
> Scott Lambert <lambert at lambertfam.org> wrote:
> > I need to merge dial-up numbers and bring the DSL aggregation together
> > in order to reduce costs. That means, I will have potentially three
> > users with the username of "bob" trying to login on the same NAS box
> > with no way to tell which one they are other than the password the user
> > supplies. The NAS address and everything else I can think of will be
> > the same for all users. (we lack caller-id features).
>
> Yuck.
>
> > Is it possible to setup radius to authenticate these users? I'm willing
> > to switch RADIUS servers if someone has a nifty module that makes magic
> > happen.
>
> If your users are in LDAP, it's actually pretty easy, so long as
> they're all doing PAP authentication. FreeRADIUS has the ability to
> run multiple modules, depending on the return codes from a module.
> See doc/configurable_failover.
>
> The short answer is that if you have 3 LDAP databases, you can do
> something like:
>
> authenticate {
> ...
> Auth-Type any_is_ok {
> ldap1 {
...
> }
...
> ldap3
> }
> ...
> }
>
> This says "if they're not found in LDAP1, or if their password is
> wrong, try LDAP2, or try LDAP3".
That looks very cool.
> If your users aren't in LDAP, the same kind of thing can be done
> with another module, but it's a little more work.
Actually, I have one set of users in password files, one in msql, and
one in MS SQL.
I was thinking about putting everything into mysql/postgresql databases.
--
Scott Lambert KC5MLE Unix SysAdmin
lambert at lambertfam.org
More information about the Freeradius-Users
mailing list