> On Fri, Feb 18, 2005 at 12:32:54PM -0500, Alan DeKok wrote:
> > From: "Alan DeKok" <[EMAIL PROTECTED]>
> > To: freeradius-users@lists.freeradius.org
> > Subject: Re: Grouping accounts
> > Date: Fri, 18 Feb 2005 12:32:54 -0500
> >
> > Steven Wayne <[EMAIL PROTECTED]> wrote:
> > > joeuser logs into the system and is authenticated by Radius.
> > >
> > > He then logs onto the ftp server. Can this be authorized by Radius using
> > > a different id/password but as a subset of "joeuser" so he can still be
> > > tracked and billed using just the main Radius account?
> >
> > If you have some way to tie that id to "joeuser". There's no
> > standard way to do that, though.
> >
> > Alan DeKok.
>
> Another thought.
>
> How about authentication based on source address.
>
> If the FreeRadius server gets an authentication request from
> 192.168.0.4 use userida/passworda, from
> 192.168.0.5 use userida/passwordb
> and so on.
>
> I'll stop thinking soom, honest.
>
Hmm, you could do that if you store the users in a different area. I
don't know if you want to go through the trouble of scattering your data
all over the place, but it could work.
Imagine you setup your users like this in ldap.
ou=ftpusers,dc=yourdomain
uid=someuser,ou=ftpusers,dc=yourdomain
ou=dialusers,dc=yourdomain
uid=sameuser,ou=dialusers,dc=yourdomain
Then you create two ldap instances in radiusd.conf (or a seperate file and
include it)
ldap ftpldap {
normal config stuff
basedn = "ou=ftpusers,dc=yourdomain"
more config stuff
}
ldap dialldap {
configs
basedn = "ou=dialusers,dc=yourdomain"
more config stuff
}
Then in the huntgroups file you do this.
ftp NAS-IP-Address == ipofftpserver1
ftp NAS-IP-Address == ipofftpserver2
dial NAS-IP-Address == ipofdialnas1
dial NAS-IP-Address == ipofdialnas2
and so on...
Then in the users file you have only these.
DEFAULT Huntgroup-Name == ftp, Autz-Type := ftpldap
DEFAULT Huntgroup-Name == dial, Autz-Type := dialldap
That would say, if the packet comes from one of the ftp servers, then use
ftpldap instance to authorize the user, which would have the ftpuser
basedn. If the request comes from a dial nas, then use the dialldap
instance with a different basedn.
This would work for you as far as authentication goes. The only problem
is you'd have the same user in two areas in ldap, which would cause
redundant data and ldap wouldn't really know that the two are related.
You'd also have to build something to manage those two different sets of
data for the users, as far as changing passwords and stuff goes.
You could try that to start and then try to start syncing the passwords
later until they are all the same and then just remove one tree and have
radius just hit that one tree.
Hope that makes sense.
-Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
