Realm Config

Thu Aug 24 19:12:29 UTC 2023

Is there any other way to do it?
I can't create 2 tables with different Realm names.
Should at least be able to take an action by reading the MIKROTIK-REALM
attribute and be able to execute the corresponding authorize_check_query.

Thanks!

El mar, 22 ago 2023 a las 23:09, Carlos Botejara (<cbotejara at gmail.com>)
escribió:

> Thanks for answer Alan
>
> El mar, 22 ago 2023 a las 22:44, Alan DeKok (<aland at deployingradius.com>)
> escribió:
>
>> On Aug 22, 2023, at 9:29 PM, Carlos Botejara <cbotejara at gmail.com> wrote:
>> >
>> > I need to configure 2 realms, and validate users depending on the realm
>> > from which they connect, I need specific rules for each site (with
>> > different sql queries).
>> > The users are in a mysql database.
>> > I configured the Realms in the proxy.conf file as follows (because I
>> don't
>> > have domain)
>> > realm1 {
>> >     nostrip
>> > }
>> > realm2 {
>> >     nostrip
>> > }
>>
>>   That's a good start.
>>
>> > The realm is configured in the Mikrotik router of each site.
>> > The Realm attribute for Mikrotik is Mikrotik-Realm
>>
>>   That doesn't matter much.
>>
>>   The approach here is always the same.  Write down what you want to do.
>> Look at the debug log to see what the NAS is sending, etc.
>>
>>   In this, case:
>>
>> * what are the different queries you want to run?
>> Way to validate the user, in one realm I will receive username/password,
>> while in the other only user (a mac address)
>>
>
>
>> * How different are they?
>> Not much. One of the sites will authenticate by username and password,
>> while the other will do so only by mac.
>>     Mikrotik runs a DHCP service, and it will validate against
>> freeradius (macs are already loaded in the database), only in this case,
>> Mikrotik sends only the MAC as user and does not send password.
>>
>
>
>> * do the different queries need different tables, different other things
>> ???
>> No, I use the same tables.
>
>
>> * what are the different rules?
>>
>    they send bandwidth, vlan, IP address.
>
>>
>>   It's hard to answer a question of "I need to do stuff.  How do I
>> configure it?"  When you give more information we get about what you need,
>> you get better answers.  When the questions are vague, the answers are
>> vague too.
>>   Yes, that's true, sorry, you're right.
>>   The recommended approach is to use different SQL tables based on
>> realms.  This means that you can use the standard queries.  You then just
>> need to update the mods-available/sql.conf file, to use the correct table
>> name.  Where that file says:
>>
>>         authcheck_table = "radcheck"
>>
>>   You can change that to:
>>
>>         authcheck_table = "%{%{Realm}_radcheck:-radcheck}"
>>
>>   i.e. "if the realm exists, use a radcheck table named for the realm,
>> otherwise use the normal radcheck table".
>>
>>   Do this for all of the tables named in mods-available/sql.
>>
>>   The server will automatically get the Realm, and use it in the SQL
>> query.  All you need to do is to create a series of tables for each realm.
>> Your main FreeRADIUS configuration can then be very, very, simple.
>>   How does Freeradius interpret the Realm if Mikrotik sends it as
>> Mikrotik-Realm?
>>   Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> Thanks!
>
>

-- 
Carlos Botejara
IT Analyst
cbotejara at gmail.com
NEUQUEN - ARGENTINA
C: 0299-154230346
LINKEDIN: http://www.linkedin.com/in/carlosbotejara

Este correo está dirigido únicamente a la persona o entidad que figura en
el destinatario y puede contener información confidencial y/o privilegiada.
La copia, reenvío, o distribución de este mensaje por personas o entidades
diferentes al destinatario está prohibido.
Si Ud. ha recibido este correo por error, por favor contáctese con el
remitente inmediatamente y borre el material de cualquier computadora.
Este correo puede estar siendo monitoreado en cumplimiento de esta política.