> On Fri, Feb 18, 2005 at 12:32:54PM -0500, Alan DeKok wrote: > > From: "Alan DeKok" <[EMAIL PROTECTED]> > > To: freeradius-users@lists.freeradius.org > > Subject: Re: Grouping accounts > > Date: Fri, 18 Feb 2005 12:32:54 -0500 > > > > Steven Wayne <[EMAIL PROTECTED]> wrote: > > > joeuser logs into the system and is authenticated by Radius. > > > > > > He then logs onto the ftp server. Can this be authorized by Radius using > > > a different id/password but as a subset of "joeuser" so he can still be > > > tracked and billed using just the main Radius account? > > > > If you have some way to tie that id to "joeuser". There's no > > standard way to do that, though. > > > > Alan DeKok. > > Another thought. > > How about authentication based on source address. > > If the FreeRadius server gets an authentication request from > 192.168.0.4 use userida/passworda, from > 192.168.0.5 use userida/passwordb > and so on. > > I'll stop thinking soom, honest. >
Hmm, you could do that if you store the users in a different area. I don't know if you want to go through the trouble of scattering your data all over the place, but it could work. Imagine you setup your users like this in ldap. ou=ftpusers,dc=yourdomain uid=someuser,ou=ftpusers,dc=yourdomain ou=dialusers,dc=yourdomain uid=sameuser,ou=dialusers,dc=yourdomain Then you create two ldap instances in radiusd.conf (or a seperate file and include it) ldap ftpldap { normal config stuff basedn = "ou=ftpusers,dc=yourdomain" more config stuff } ldap dialldap { configs basedn = "ou=dialusers,dc=yourdomain" more config stuff } Then in the huntgroups file you do this. ftp NAS-IP-Address == ipofftpserver1 ftp NAS-IP-Address == ipofftpserver2 dial NAS-IP-Address == ipofdialnas1 dial NAS-IP-Address == ipofdialnas2 and so on... Then in the users file you have only these. DEFAULT Huntgroup-Name == ftp, Autz-Type := ftpldap DEFAULT Huntgroup-Name == dial, Autz-Type := dialldap That would say, if the packet comes from one of the ftp servers, then use ftpldap instance to authorize the user, which would have the ftpuser basedn. If the request comes from a dial nas, then use the dialldap instance with a different basedn. This would work for you as far as authentication goes. The only problem is you'd have the same user in two areas in ldap, which would cause redundant data and ldap wouldn't really know that the two are related. You'd also have to build something to manage those two different sets of data for the users, as far as changing passwords and stuff goes. You could try that to start and then try to start syncing the passwords later until they are all the same and then just remove one tree and have radius just hit that one tree. Hope that makes sense. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html