users file for NULL realm, LDAP for another

[Phil Mayers]

John Keimel wrote:
> I have two Freeradius servers, one of which authenticates MAC addresses 
> for wireless, the other usernames at myrealm.com for some other network 
> access.
> 
> I'd like to combine the two of them into one server. If the username 
> comes through without a realm (a MAC address) I'd like it to check the 
> users file. If it comes through with a realm, just check LDAP. If the 
> MAC address fails, it should never ever check LDAP. That just beats up 
> the LDAP server and the LDAP admin yells (with good reason!).

Use Autz-Type and 2nd files module, like so

modules {
   files {
     usersfile = ${confdir}/users
   }
   files files2 {
     usersfile = ${confdir}/users2
   }
   ldap {
     ...
   }
}

authorize {
   preprocess
   files
   Autz-Type MAC {
     files2
   }
   Autz-Type USER {
     ldap
   }
}

in ${confdir}/users:

DEFAULT User-Name =~ ".*@myrealm.com", Autz-Type := USER

DEFAULT Autz-Type := MAC

in ${confdir}/users2:

00-11-22-33-44-55 Whatever-Attributes == "somevalue"
	Reply-Attribute-1 = foo,
	Reply-Attribute-2 = bar

> Should I be looking to do this just in the radiusd.conf? Or should I be 
> attempting to mangle some kind of proxy arrangement? Would anyone care 
> to share any sample configs for such a thing? It looks to me like there 
> may be several ways to do this and I'd like to spend the time building 
> up the best method. Proxy? Autz-type?

Autz-Type

Proxy is really intended for if you're going to send the request on 
somewhere else. It *can* strip the username, but there are easier ways 
to do it.

You could also configure a huntgroup based on various attributes e.g.

${confdir}/huntgroups:

ethernet NAS-Port-Type == Ethernet

vpn NAS-Port-Type == Async, NAS-IP-Address == my.vpn.server.ip

${confdir}/users:

DEFAULT Huntgroup-Name == "ethernet", Autz-Type := MAC

DEFAULT Huntgroup-Name == "vpn", Autz-Type := USER

...and so on