realms and local user file processing question

Alan DeKok aland at deployingradius.com
Tue Dec 19 20:37:16 CET 2006


Michael Hare wrote:

> However, I'd like to provide a different Framed-IP-Address based on the
> supplied realm.  The goal that we are trying to implement are IP groups
> in a VPN server.  I'm trying to hammer this out with radius because I
> don't want a vendor specific solution.  Can you think of a creative way
> to provide a Framed-IP-Address on the local server based on realm with
> Freeradius 1.x code?  To be more specific, lets say that I belong to
> three departments.  I may have multiple logins 'mdhare at dept1',
> 'mdhare at dept2', and 'mdhare at dept3' that would hand back different IPs
> but auth with the same central DB.

  Are they all the same user?  If so, separate the authentication from
the realm.  Part of the problem you're runing into is that you're trying
to implement realms by proxying, which just isn't necessary.  See the
LOCAL configuration in proxy.conf for details.

  And if most of what you're doing is mapping User-Name to IP, use
rlm_passwd, which is much simpler than the "users" file.  It won't care
about realms, so you can configure it to use User-Name as a key, and
return Framed-IP-Address.  The User-Name will then be the full username,
which is what you want.

> It looks like I could setup a new radius server to proxy to for each
> individual realm [since I can guarantee unique username per realm] but
> that could be a LOT of realms [one for each dept that wants to
> participate, which may be dozens].

  No.  There's NO need to do that.  One server can do it all.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list