realms and local user file processing question

Michael Hare michael.hare at doit.wisc.edu
Mon Dec 18 19:50:08 CET 2006 

Alan-

I did think of a way out of this;  Accomplish 'realmlike' functionality
with attr_rewrite, because the radius server I proxy to is under my
control as well.

user example: mdhare_(dept)


on 'master' radius server (one that all requests are proxied through)

        attr_rewrite force_username {
                attribute = User-Name
                searchin = packet
                searchfor = "_[a-z]+"
                replacewith = ""
                append = no
                new_attribute = no
                max_matches = 1
        }

My understanding is that the User-Name attribute will be rewritten by
the proxy for auth but the proxier will still match on the original.
Not very intuitive but easier than a server per realm.

-Michael

Michael Hare wrote:
> Alan-
> 
> Thanks for your time.
> 
>> When you're processing the "users" file after proxying, the user name
>> is the *stripped* name, i.e. without the realm.
> 
> Ok, this corresponds more with what I see than that wiki link I sent
> you.  When I supply the original username 'mdhare at test', entry #2 [see
> immediately below] is the one that matches after the proxy.
> 
> mdhare          Realm == "test"
>                 Framed-IP-Address = 146.151.211.254
> 
> mdhare
>                 Framed-IP-Address = 146.151.211.254
> 
> However, I'd like to provide a different Framed-IP-Address based on the
> supplied realm.  The goal that we are trying to implement are IP groups
> in a VPN server.  I'm trying to hammer this out with radius because I
> don't want a vendor specific solution.  Can you think of a creative way
> to provide a Framed-IP-Address on the local server based on realm with
> Freeradius 1.x code?  To be more specific, lets say that I belong to
> three departments.  I may have multiple logins 'mdhare at dept1',
> 'mdhare at dept2', and 'mdhare at dept3' that would hand back different IPs
> but auth with the same central DB.
> 
> It looks like I could setup a new radius server to proxy to for each
> individual realm [since I can guarantee unique username per realm] but
> that could be a LOT of realms [one for each dept that wants to
> participate, which may be dozens].
> 
>> That will change in 2.0, when it's released.  The "users" file should
>> ONLY be processed before proxying, not after.
> 
> When 2.0 comes out, will this mean that I will be able to match on the
> realm in the users file and provide the Framed-IP-Address with a format
> like the below?
> 
> mdhare at test
>                 Framed-IP-Address = 146.151.211.254
> 
>> Go back and read the "users" file.  The debug log shows it matching on
>> line 84, are you *sure* that the "mdhare" entries are before that?
> 
> I think that the match on line 84 of the debug was for the attrs filter.
>  I don't fully understand how this may be applicable to the question.
> Is there some interaction that I don't understand, or was your
> suggestion in err?
> 
> -Michael
> 

-- 
=======================W===
Michael Hare
UW-Madison + WiscNet Network Engineering
Desk:      608-262-5236
24 Hr Noc: 608-263-4188

More information about the Freeradius-Users mailing list