duplicate usernames across multiple NAS that belong to different users

Alan DeKok aland at deployingradius.com
Wed Sep 1 19:28:41 CEST 2021


On Sep 1, 2021, at 11:36 AM, Jonathan Davis <jonathan at prioritycolo.com> wrote:
> I prefer not mangling / editing / straying from the defaults of FreeRadius.

  The configuration is editable for a reason.  If you're going to do something unusual like having multiple users with the same name, then you'll need too edit the configuration.

  One choice is to keep the configuration mostly "stock", but use virtual servers to create multiple "virtual" servers.  The benefit here is that those configurations can be trivially move to different machines, and to different *real* servers.

  Another choice is to butcher the configuration to resemble nothing like the standard configuration.  Change the lookup fields, change the database to have additional magic keys for each user, etc.  But that means not only having custom tables, but having custom *contents* of the tables.

  You really don't want to do that.

> Where I run into hesitation is with the numbers. The example of 2 is actually 12 devices, in addition to another 88 other devices + additional network and workstations we'd be adding. I can handle creating virtual servers for each, but creating that many sql modules seems unwise to do.

  Sure.  FreeRADIUS gives you the flexibility to do most anything you want.

> Can the SQL table used be set anywhere else?

   You could also change the table names in mods-available/sql, to create unique tables per NAS.  That way you can use one SQL module, and just select different tables:

	acct_table1 = "radacct_%{%{client:nas_table}:-default}"
	acct_table2 = "radacct_%{%{client:nas_table}:-default}"
...
    etc. for all of the "table" configurations.

  i.e. add a dynamic qualifier to the table names.  You'll need to create all of those tables, of course.

  And you can set the table names in the "clients.conf" section:

client nas1 {
	...
	nas_table = "nas1"
	...
}

  So all of the tables for NAS1 as "radcheck_nas1", etc.

  But again... you *cannot* do what you want without editing the configuration.  There is no magical solution where the server supports multiple identical user names, and magically selects the "right" one based on the NAS.  You must understand, design, implement, and test the solution yourself.

> I'm still familiarizing myself with SQL and the authorize section, in that the queries only retrieve a known password for the user, which is authorized in the PAP or other module of the authorized section?

  No.  The queries do a lot more than that.  See the docs in the module configuration, and in http://wiki.freeradius.org

> Having read the virtual servers documentation, I'm not clear on what settings are inherited (if any), from the default to virtual servers, and if virtual servers can extend other virtual servers?

  There is no "inheritance" from one virtual server to another. They are completely independent.

  The modules are global, however.

  Alan DeKok.




More information about the Freeradius-Users mailing list