Authentication accept/deny based on realm
aland at deployingradius.com
Thu Jan 11 04:54:04 CET 2007
Lisa Casey wrote:
> I am using freeradius. I currently have two realms setup in mu users file
> with fallthrough=yes for both of them since the usernames/passwords are
> in the users file and I need to be able to match on those. Currently, if
> username johndoe logs in as johndoe at realm1.com he gets accepted. If he then
> logs in as johndoe at realm2.com he will also get accepted since freeradius
> looks at the users file (and the realms file) finds the realm is valid,
> goes on down the users file, finds the username/password valid, thus
> accepting the login.
You have configured both realms to 'strip' the realm name. This means
that after the realm matches, "johndoe" *is* the users name. Since
you've done this for both realms, it means you've told the server that
the unique user identifier is "johndoe", and not "johndoe at realm1.com".
The solution is to *not* strip the realm name. You then have to go an
update your users file entries to have the full name, including realm.
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users