I'm trying to set up a radius server (freeradius 1.0.1 on FreeBSD 5.3) to handle two distinct sets of users, who will be using different sets of NASes. I'd like to use rlm_passwd (because it's hashed) rather than putting everyone in the 'users' file. But I'm having trouble handling username collisions between the two sets of users.
Here's a stripped-down config that illustrates what I've got so far: 'passwdA' (the first password file): george:georgeA:groupA fred:fredA:groupA 'passwdB' (the second password file): george:georgeB:groupB sam:samB:groupB I've modified 'radiusd.conf' as follows: ... modules { ... passwd usersA { filename = /usr/local/etc/raddb/passwdA format = "*User-Name:User-Password:~Test-Group" authtype = Local } passwd usersB { filename = /usr/local/etc/raddb/passwdB format = "*User-Name:User-Password:~Test-Group" authtype = Local } ... { ... authorize { usersA usersB # # Read the 'users' file files ... } Then, in 'huntgroups' I have: huntA NAS-IP-Address == 192.168.0.5 huntB NAS-IP-Address == 192.168.0.8 Finally, in 'users': DEFAULT Huntgroup-Name == "huntA", Test-Group == "groupA" DEFAULT Huntgroup-Name == "huntB", Test-Group == "groupB" # Reject everyone else DEFAULT Auth-Type := Reject This almost works. User 'fred' can authenticate only from huntgroup 'huntA' and 'sam' can authenticate only from 'huntB'. User 'george' can authenticate from either huntgroup, but *only* with the "georgeA" password, even if he's coming from huntgroup 'huntB'. Debug output (below) shows that both 'george' entries are found, and both passwords are added to the config_items. But only the first one is checked against the supplied password. It seems that it ought to be possible to restrict the authorization based on huntgroup, but I'm not seeing how. Am I missing something obvious? Thanks, -- George C. Kaplan [EMAIL PROTECTED] Communication & Network Services 510-643-0496 University of California at Berkeley ----------------------------------------------------------------------- rad_recv: Access-Request packet from host 128.32.155.26:39993, id=163, length=63 User-Name = "george" User-Password = "georgeA" NAS-IP-Address = 192.168.0.8 NAS-Port-Id = "666" Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "george", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 rlm_passwd: Added User-Password: 'georgeA' to config_items rlm_passwd: Added Test-Group: 'groupA' to request_items rlm_passwd: Adding "Auth-Type = Local" modcall[authorize]: module "usersA" returns ok for request 1 rlm_passwd: Added User-Password: 'georgeB' to config_items rlm_passwd: Added Test-Group: 'groupB' to request_items rlm_passwd: Adding "Auth-Type = Local" modcall[authorize]: module "usersB" returns ok for request 1 users: Matched DEFAULT at 9 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [george] (from client enceladus port 0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html