I'm trying to set up a radius server (freeradius 1.0.1 on FreeBSD 5.3)
to handle two distinct sets of users, who will be using different sets
of NASes. I'd like to use rlm_passwd (because it's hashed) rather than
putting everyone in the 'users' file. But I'm having trouble handling
username collisions between the two sets of users.
Here's a stripped-down config that illustrates what I've got so far:
'passwdA' (the first password file):
george:georgeA:groupA
fred:fredA:groupA
'passwdB' (the second password file):
george:georgeB:groupB
sam:samB:groupB
I've modified 'radiusd.conf' as follows:
...
modules {
...
passwd usersA {
filename = /usr/local/etc/raddb/passwdA
format = "*User-Name:User-Password:~Test-Group"
authtype = Local
}
passwd usersB {
filename = /usr/local/etc/raddb/passwdB
format = "*User-Name:User-Password:~Test-Group"
authtype = Local
}
...
{
...
authorize {
usersA
usersB
#
# Read the 'users' file
files
...
}
Then, in 'huntgroups' I have:
huntA NAS-IP-Address == 192.168.0.5
huntB NAS-IP-Address == 192.168.0.8
Finally, in 'users':
DEFAULT Huntgroup-Name == "huntA", Test-Group == "groupA"
DEFAULT Huntgroup-Name == "huntB", Test-Group == "groupB"
# Reject everyone else
DEFAULT Auth-Type := Reject
This almost works. User 'fred' can authenticate only from huntgroup
'huntA' and 'sam' can authenticate only from 'huntB'. User 'george'
can authenticate from either huntgroup, but *only* with the "georgeA"
password, even if he's coming from huntgroup 'huntB'.
Debug output (below) shows that both 'george' entries are found, and
both passwords are added to the config_items. But only the first one
is checked against the supplied password.
It seems that it ought to be possible to restrict the authorization
based on huntgroup, but I'm not seeing how. Am I missing something
obvious?
Thanks,
--
George C. Kaplan [EMAIL PROTECTED]
Communication & Network Services 510-643-0496
University of California at Berkeley
-----------------------------------------------------------------------
rad_recv: Access-Request packet from host 128.32.155.26:39993, id=163,
length=63
User-Name = "george"
User-Password = "georgeA"
NAS-IP-Address = 192.168.0.8
NAS-Port-Id = "666"
Framed-Protocol = PPP
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "george", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1
rlm_passwd: Added User-Password: 'georgeA' to config_items
rlm_passwd: Added Test-Group: 'groupA' to request_items
rlm_passwd: Adding "Auth-Type = Local"
modcall[authorize]: module "usersA" returns ok for request 1
rlm_passwd: Added User-Password: 'georgeB' to config_items
rlm_passwd: Added Test-Group: 'groupB' to request_items
rlm_passwd: Adding "Auth-Type = Local"
modcall[authorize]: module "usersB" returns ok for request 1
users: Matched DEFAULT at 9
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [george] (from client enceladus port 0)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
