realms and local user file processing question

Michael Hare michael.hare at doit.wisc.edu
Mon Dec 18 19:35:56 CET 2006 

Alan-

Thanks for your time.

>When you're processing the "users" file after proxying, the user name
>is the *stripped* name, i.e. without the realm.

Ok, this corresponds more with what I see than that wiki link I sent
you.  When I supply the original username 'mdhare at test', entry #2 [see
immediately below] is the one that matches after the proxy.

mdhare          Realm == "test"
                Framed-IP-Address = 146.151.211.254

mdhare
                Framed-IP-Address = 146.151.211.254

However, I'd like to provide a different Framed-IP-Address based on the
supplied realm.  The goal that we are trying to implement are IP groups
in a VPN server.  I'm trying to hammer this out with radius because I
don't want a vendor specific solution.  Can you think of a creative way
to provide a Framed-IP-Address on the local server based on realm with
Freeradius 1.x code?  To be more specific, lets say that I belong to
three departments.  I may have multiple logins 'mdhare at dept1',
'mdhare at dept2', and 'mdhare at dept3' that would hand back different IPs
but auth with the same central DB.

It looks like I could setup a new radius server to proxy to for each
individual realm [since I can guarantee unique username per realm] but
that could be a LOT of realms [one for each dept that wants to
participate, which may be dozens].

>That will change in 2.0, when it's released.  The "users" file should
>ONLY be processed before proxying, not after.

When 2.0 comes out, will this mean that I will be able to match on the
realm in the users file and provide the Framed-IP-Address with a format
like the below?

mdhare at test
                Framed-IP-Address = 146.151.211.254

>Go back and read the "users" file.  The debug log shows it matching on
>line 84, are you *sure* that the "mdhare" entries are before that?

I think that the match on line 84 of the debug was for the attrs filter.
 I don't fully understand how this may be applicable to the question.
Is there some interaction that I don't understand, or was your
suggestion in err?

-Michael

-- 
=======================W===
Michael Hare
UW-Madison + WiscNet Network Engineering
Desk:      608-262-5236
24 Hr Noc: 608-263-4188

More information about the Freeradius-Users mailing list