Allowing user from one realm but not another
Jeff A
jeffa at globalco.net
Sat Feb 13 20:15:20 CET 2010
Ok, from what I see that won’t work..
If I rewrite a username in preproxy
Ie(billy at foo.net) to billy at beg.net then in proxy username is authed cause radius only looks at username with stripped realm
I need to watch for billy to login and if he uses any other realm besides billy at beg.net then reject him before he even gets to the
Being authed by server, cause my server strips realm off and only sees the username
Rewriting the realm on the auth request for this user would allow him login no matter what
I think best approach would be to watch for any username named billy and if his realm does not match realm he is allowed from then
Reject access before he is sent for authentation and the realm has been stripped as it is suppose to be
Maybe I am wrong here do not know, but here is why I am trying to do this.
Jeff
From: freeradius-users-bounces+jeffa=globalco.net at lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net at lists.freeradius.org] On Behalf Of Jeff A
Sent: Saturday, February 13, 2010 1:54 PM
To: 'FreeRadius users mailing list'
Subject: RE: Allowing user from one realm but not another
So far no luck, but I will keep looking.
From: freeradius-users-bounces+jeffa=globalco.net at lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net at lists.freeradius.org] On Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:32 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Allowing user from one realm but not another
LOL, easy to do with FR. I was just getting the hang of it when I was pulled off to another project.
Check out the operators and unlang. Maybe there are some examples within the users file with similar replacement operations.
_____
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org <freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org>
To: 'FreeRadius users mailing list' <freeradius-users at lists.freeradius.org>
Sent: Sat Feb 13 10:17:42 2010
Subject: RE: Allowing user from one realm but not another
Yes that would work not not sure how to implement this. I have been trying to find a written example of someone who has done this
On the search engines but all I have accomplished is making myself confused
From: freeradius-users-bounces+jeffa=globalco.net at lists.freeradius.org [mailto:freeradius-users-bounces+jeffa=globalco.net at lists.freeradius.org] On Behalf Of Gary Gatten
Sent: Saturday, February 13, 2010 11:11 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Allowing user from one realm but not another
Assuming there are not duplicate names, can't you jus rewrite his auth request so its always the realm you want? Billy.* = Billy.beg
_____
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org <freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org>
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Sent: Sat Feb 13 09:52:33 2010
Subject: Allowing user from one realm but not another
Heres my issue and no idea exactly how to do this.
Trying to figure it out is making me more confused.
1st I use the usersfile for authentation
I have three different realms users can login with
For examples they are (foo.net, bar.net, beg.net)
When users login from one of the realms from my two upstream providers they login as one of these realms
Then freeradius will strip the realm and auth the user
My delima is I have some users that abused a certain realm usage and I want to restrict them to another realm for login and deny the others
Say billy at foo.net has abused the foo.net realm now I need him solely on the beg.net and disallowing the other two realms. In other words reject him before if he trys to use the old realm again. In other words I want to allow only billy to use this one new realm and be rejected if he trys another realm.
This has to take place I figure in preproxy, cause my users file is authenticated minus the realm in proxy..
But as I said I have no idea on what to do to set this up..
I would not mind adding usernames to a file to be prechecked at preproxy and if user is and he is not using realm specified reject him , just not sure what to do or how..
Jeff
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100213/e4b03c42/attachment.html>
More information about the Freeradius-Users
mailing list