autenticating with realm null only in one NAS
rgreiner
mrgreiner at gmail.com
Mon Feb 25 15:49:05 CET 2008
I need to configurate freeradius to allow NULL realms only from one or
two NAS, and all the other must have a realm in the login. What would be
the best way to do this?
(using freeradius 2.0.2, in a Debian etch platform.)
I tried to add the following in the Users file:
DEFAULT NAS-IP-Address=="1.2.3.4", Proxy-To-Realm := "realm1.com"
DEFAULT NAS-IP-Address=="1.2.3.5", Proxy-To-Realm := "realm1.com"
DEFAULT Realm == NULL, Auth-Type := Reject
Fall-Through = 1
In proxy.conf, I added the following entry at end of the file:
realm realm1.com {
pool = my_auth_failover
# nostrip
}
(I left the example entries from the file enabled.)
freeradius -X display:
In this entry, I did not use a realm in the login, still it connected.
Any ideas how would be the best way to configure this?
rad_recv: Access-Request packet from host 1.2.3.6 port 2890, id=10,
length=48
User-Name = "user1"
User-Password = "pass1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'rgreiner' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER
BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'rgreiner' ORDER BY id
expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'rgreiner' ORDER BY priority
expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'dynamic' ORDER BY id
rlm_sql (sql): User found in group dynamic
expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'dynamic' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "pass1"
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
+- entering group session
++[sql] returns noop
Login OK: [user1/pass1] (from client dsu24 port 0)
Sending Access-Accept of id 10 to 1.2.3.6 port 2890
Framed-Protocol := PPP
Service-Type := Framed-User
Framed-MTU := 1500
Session-Timeout := 86400
Framed-Compression := Van-Jacobson-TCP-IP
Framed-Address := 255.255.255.254
Framed-Netmask := 255.255.255.0
Idle-Timeout := 3600
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Cleaning up request 0 ID 10 with timestamp +6
Ready to process requests.
Thank you very much,
Marcos Roberto Greiner
--
-----------------------------------------------------
Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos
Os pessimistas tem medo de que isto seja verdade
Murphy
-----------------------------------------------------
More information about the Freeradius-Users
mailing list