Authentication accept/deny based on realm

Alan DeKok aland at
Thu Jan 11 04:54:04 CET 2007

Lisa Casey wrote:

> I am using  freeradius. I currently have two realms setup in mu users file
> with fallthrough=yes for both of them since the usernames/passwords are
> also
> in the users file and I need to be able to match on those. Currently, if
> username johndoe logs in as johndoe at he gets accepted. If he then
> logs in as johndoe at he will also get accepted since freeradius
> looks at the users file (and the realms file) finds the realm is valid,
> then
> goes on down the users file, finds the username/password valid, thus
> accepting the login.

  You have configured both realms to 'strip' the realm name.  This means
that after the realm matches, "johndoe" *is* the users name.  Since
you've done this for both realms, it means you've told the server that
the unique user identifier is "johndoe", and not "johndoe at".

  The solution is to *not* strip the realm name.  You then have to go an
update your users file entries to have the full name, including realm.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list