Authenticate users from 3 realms in one MySQL database

Scott Lambert lambert at lambertfam.org
Tue Aug 14 08:24:15 CEST 2007 

On Mon, Aug 13, 2007 at 11:48:06PM -0500, Scott Lambert wrote:
> I am attempting to build a setup which authenticates users from 3 realms
> in one MySQL database.  Some of my users, actually a large proportion of
> them, are currently not using their realm to authenticate.  I am about
> to merge the dial pools so I won't be able to use huntgroups or hints to
> figure out which realm they are coming from.
> 
> I am trying to use the new unlang option to avoid writing an rlm_perl
> type script.
> 
> FreeRADIUS-snapshot-20070813
> 
> I don't know if any of this is "legal".  I'm using one sql module.  I
> just call it once for each realm after changing the %{User-Name} to
> append that realm.  It just looked like it might work so I tried it.
> The debug output makes it look like I am very close.  I haven't been
> able to figure out exactly what is wrong with it, yet.
> 
> The failure happens in rlm_pap when the user does not specify a realm.
> I don't see the cause of the failure in the debug output.  I'm probably
> not interpreting the output correctly.

<snip>
 
> Here are the authentication tests. 
> 
> lambert at sysmon ~
> 22:30:33 Mon Aug 13 $ radtest lambert at example3.net password1 radtest.example1.net 2 blahblah 2
> Sending Access-Request of id 82 to radtest.example1.net port 1645
>         User-Name = "lambert at example3.net"
>         User-Password = "password1"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 2
>         Framed-Protocol = PPP
> rad_recv: Access-Accept packet from host radtest.example1.net:1645, id=82, length=32
>         Framed-Protocol = PPP
>         Framed-Compression = Van-Jacobson-TCP-IP
> 
> lambert at sysmon ~
> 22:33:43 Mon Aug 13 $ radtest lambert password1 radtest.example1.net 2 blahblah 2
> Sending Access-Request of id 99 to radtest.example1.net port 1645
>         User-Name = "lambert"
>         User-Password = "password1"
>         NAS-IP-Address = 255.255.255.255
>         NAS-Port = 2
>         Framed-Protocol = PPP
> rad_recv: Access-Reject packet from host radtest.example1.net:1645, id=99, length=20

<snip> 

Something odd is going on.  I finally got the idea into my head to
test with usernames other than mine.  I have now tried several other
usernames.  They have all worked with and without specifying the realm.
Yea!

I am very confused as to why my account is apparantly the only one
failing when authenticating without the realm.  With the realm, my
account works.

lambert at sysmon ~
01:01:06 Tue Aug 14 $ radtest ronnie at example3.net bla4848 radtest.example1.net 2 blahblah 2
Sending Access-Request of id 182 to radtest.example1.net port 1645
        User-Name = "ronnie at example3.net"
        User-Password = "bla4848"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 2
        Framed-Protocol = PPP
rad_recv: Access-Accept packet from host radtest.example1.net:1645, id=182, length=32
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP

lambert at sysmon ~
01:01:17 Tue Aug 14 $ radtest ronnie bla4848 radtest.example1.net 2 blahblah 2
Sending Access-Request of id 202 to radtest.example1.net port 1645
        User-Name = "ronnie"
        User-Password = "bla4848"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 2
        Framed-Protocol = PPP
rad_recv: Access-Accept packet from host radtest.example1.net:1645, id=202, length=32
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org

More information about the Freeradius-Users mailing list