Realms allowed to some huntgroup

Walter Reynolds waltr at umich.edu
Tue Mar 7 17:29:33 CET 2006 

I am not quite finding the setup I am looking for and hope someone can 
point me to the files I should be updating.

Currently I am running version 1.0.4

Hopefuly I can describe what I want to do and you can let me know if it 
is doable, and if so what files I should modify.

I have questions.

 	1. How can I authenticate realms differently.
 	2. Can I set up logging based on Realm

I will simplify this and say we have two service types I want to 
authenticate.

 	1. Wireless
 	2. VPN

I currently have Wireless and VPN set up so we do some proxy.  If a user 
signs in with either the following they can log in:

 	waltr - no domain (us NULL realm to authhost = local  in proxy.conf)
 	waltr at xxx.edu - xxx.edu domain has realm defines and proxies to
 			remote radius server at other campus

Well this works and Wireless and VPN can sign in.  The thing is I want 
wireless to work this way, but I want VPN to only work with no domain 
logins.

But how do I define a domain/realm to a group so I can put that into the 
huntgroup file.


We are currently using Merit radius and it works this way (I am adding 
this for example only)

Clients.conf (using old style for clarity)
===========================
#Clients Name       Key             [type]          [version] [prefix]
#----------------  --------------- --------------- --------- --------
# iLab Radius servers
vpn.xxx.edu          secretvpn      type=Merit:PROXY           vpn
wirelessAP1.xxx.edu  secretwireless type=PROXY                 wireless
wirelessAP2.xxx.edu  secretwireless type=PROXY                 wireless


============================

The prefix would tell it to use a specific users file and authfile. So I 
have the following 4 files:

vpn.users
vpn.authfile
wireless.users
wireless.authfile

With those files I can have users connecting to wireless clients (ie 
huntgroup) go to a specific user and authfule.  I can set the vpn service 
to authenticate Null realms and drop all others while at the same time I 
can set wireless to authenticate Null locally and proxy the defined realms 
to another radius server.



Question number two is can I separate the accounting for the realms to 
different logfiles?




-- Walter Reynolds
    University of Michigan

More information about the Freeradius-Users mailing list