radius for linux authentication

sri.b at aol.in sri.b at aol.in
Tue Feb 16 14:08:21 CET 2010


 
Thank you Fajar.
I added additional argument to the lib pam radius like "realm=192.168.100.10" and this realm is appended to the 
user like user at 192.168.100.10. This solved my problem.

Regards,
Sri.



On Thu, Feb 11, 2010 at 5:20 PM,  <sri.b at aol.in> wrote:
> Now the problem is how to identify a user like root have same name on
> multiple machines.
> For this I observed that this PAM library is sending
> Calling-Station-Id in Access-Request packets.
> I did modify my radcheck table to have entires as following:
> +----+-----------+--------------------+----+----------------+
> | id | UserName  | Attribute          | op | Value          |
> +----+-----------+--------------------+----+----------------+
> |  1 | linuxuser | Password           | == | radpwd         |
> | 12 | root      | Calling-Station-Id | == | 192.168.100.61 |
> | 11 | root      | Password           | == | 10radpwd       |
> | 10 | root      | Password           | == | 61radpwd       |
> | 13 | root      | Calling-Station-Id | == | 192.168.70.10  |
> +------------------------------------------------------------------------------
>
> But the failed to authenticate.

That won't work. You're NOT supposed to have different password for
the same user name.
When using a centralized authentication (radius, LDAP, Active
Directory, whatever), a user will use the same password regardless of
other attributes (like Calling-Station-Id).



That being said, freeradius is highly customizable. You could, for
example, use unlang to modify the username to became
"root at 192.168.100.10". See
http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00389.html
and http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00468.html
for example. It does the reverse of what you're trying to do, but you
can look at the example to see how you could modify the value of
User-Name in request attribute.

Another approach would be to use a custom user table (adding another
column, CallingStationId), plus modify queries in dialup.conf so it
says "WHERE username = '%{SQL-User-Name}' AND
CallingStationId='%{Calling-Station-Id}'" instead of just "WHERE
username = '%{SQL-User-Name}' ". Your table would then look something
like this

 +----+-----------+--------------------+----+----------------+---------------------------------+
 | id | UserName  | Attribute          | op | Value          |
CallingStationId |
 +----+-----------+--------------------+----+----------------+---------------------------------+
 | 11 | root      | Password           | == | 10radpwd       | 192.168.100.10 |
 | 10 | root      | Password           | == | 61radpwd       | 192.168.100.61 |

but with this method you need to define ALL calling-station-id and
their corresponding passwords. I consider this a hack though. You
should avoid this unless you ABSOLUTELY know what you're doing, as
you're unlikely to get help from others if you experience problems due
to this "hack".


-- 
Fajar




 


 

 

-----Original Message-----
From: sri.b at aol.in
To: freeradius-users at lists.freeradius.org
Sent: Thu, 11 Feb 2010 3:50 pm
Subject: radius for linux authentication


 

 Hi List,

I have configured my linux devices to use freeRadius (freeRadius 1.1.5 with MySQL backend) authentication.
Installation of pam library went well and am able to get authenticated against my freeRadius server.
Now the problem is how to identify a user like root have same name on multiple machines. For this I observed that this PAM library is sending Calling-Station-Id in Access-Request packets.
I did modify my radcheck table to have entires as following:
+----+-----------+--------------------+----+----------------+
| id | UserName  | Attribute          | op | Value          |
+----+-----------+--------------------+----+----------------+
|  1 | linuxuser | Password           | == | radpwd         |
| 12 | root      | Calling-Station-Id | == | 192.168.100.61 |
| 11 | root      | Password           | == | 10radpwd       |
| 10 | root      | Password           | == | 61radpwd       |
| 13 | root      | Calling-Station-Id | == | 192.168.70.10  |
+------------------------------------------------------------------------------

But the failed to authenticate. 

Please suggest what could be the problem, ASAP.
Also, are there any other ways to handle this kind of situation.


Appreciate your help.

Regards,
Sri.



 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100216/eda25ded/attachment.html>


More information about the Freeradius-Users mailing list