How to cut the realm from a username before it is sent to authenticateagainst ldap with ttls/pap
Ivan Kalik
tnt at kalik.net
Thu Jul 17 01:29:33 CEST 2008
>1. How could I get a username/password authenticated against ldap
>without its realm if there is one(i.e. cut away the realm @something.ca)?
ldap filter is set up to use Stripped_user_Name by default. If realm is
defined this will work. If it's an unknown realm it won't be stripped.
>I used Freeradius 2.0.5. We need this to see if:
> * A user is a home user and log in from home NAS/AP (in this case he
>may not use any realm at all)
That works by default.
> * or a user is a home user but log in from other colleage/university
>and proxied home by our upper eduroam proxy server at the guest
>college/university
Configure your realm as a local realm in proxy.conf.
> * or a user is a roaming user from other college/university and we
>need to proxy the request to the upper eduroam radius server and finally
>back to his home
> college/university for authenticating.
Use DEFAULT realm in proxy.conf to send users from unknown realms to
"upper eduroam radius server".
>2. How could I get the client IP addresses to fill the "framedipaddress"
>field in the table raddacc?
>I used mysql as my accounting DB and the client ip addresses assigned by
>a dhcp server sitting in the LAN/VLAN.
>Now the field "framedipaddress" or "client-ip_address" is empty.
Your AP is most likely sending tha accounting Start packet before user
gets the IP address assigned. Delay sending of the Start packet for a
few seconds (if there is such a setting) or use accounting updates.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list