Standard & Realm Authentication
Alan DeKok
aland at deployingradius.com
Tue Feb 2 15:38:19 CET 2021
On Feb 1, 2021, at 2:42 PM, Richard J Palmer <richard at merula.net> wrote:
> We have been using FreeRadius for quite a long time to authenticate PPPoE and L2TP sessions and hotspots. So far everything works.
That's good to hear. :)
> What I am trying to achieve in FreeRadius is
>
> 1) If there's an exact username (as now) continue as now
> 2) IF there's not a match either run a second SQL which will find the realm - and return accept. And then pass back the necessary attributes back to allow the session to forward.
I'd break that down into 3 steps. The question is how do you "find the realm" ?
> Pretty happy to do most of the work here but some pointers would be perfect.
>
> I could I suppose do this by replacing the SQL query with a stored procedure - but open to any better ideas?
Run the SQL module as-is, ensuring that the key is User-Name:
sql
if (notfound) {
... extra magic goes here ...
}
You'll need to do a few things after this. One is to figure out how to turn the User-Name into a realm. Ideally you put this into some kind of regex / SQL table, whatever. How this is done depends on you. And with minimal information, we can't really recommend anything. Put the realm name into a My-Realm attribute (Realm is already used for other things).
Define My-Realm in raddb/dictionary:
ATTRIBUTE My-Realm 3000 string
The next step is to edit the SQL queries to look up realm *or* User-Name, e.g. edit
raddb/mods-config/sql/main/mysql/queries.conf
...
sql_user_name = "%{%{My-Realm}:-%{User-Name}}"
Then, you can insert entries into the SQL tables, keyed by User-Name *or* realm. then update the "extra magic here" from above:
sql
if (notfound) {
??? somehow get My-Realm from User-Name
sql
}
And ensure that each of the My-Realm entries has the correct reply attributes.
Alan DeKok.
More information about the Freeradius-Users
mailing list