John Keimel wrote:
I have two Freeradius servers, one of which authenticates MAC addresses
for wireless, the other [EMAIL PROTECTED] for some other network
access.
I'd like to combine the two of them into one server. If the username
comes through without a realm (a MAC address) I'd like it to check the
users file. If it comes through with a realm, just check LDAP. If the
MAC address fails, it should never ever check LDAP. That just beats up
the LDAP server and the LDAP admin yells (with good reason!).
Use Autz-Type and 2nd files module, like so
modules {
files {
usersfile = ${confdir}/users
}
files files2 {
usersfile = ${confdir}/users2
}
ldap {
...
}
}
authorize {
preprocess
files
Autz-Type MAC {
files2
}
Autz-Type USER {
ldap
}
}
in ${confdir}/users:
DEFAULT User-Name =~ "[EMAIL PROTECTED]", Autz-Type := USER
DEFAULT Autz-Type := MAC
in ${confdir}/users2:
00-11-22-33-44-55 Whatever-Attributes == "somevalue"
Reply-Attribute-1 = foo,
Reply-Attribute-2 = bar
Should I be looking to do this just in the radiusd.conf? Or should I be
attempting to mangle some kind of proxy arrangement? Would anyone care
to share any sample configs for such a thing? It looks to me like there
may be several ways to do this and I'd like to spend the time building
up the best method. Proxy? Autz-type?
Autz-Type
Proxy is really intended for if you're going to send the request on
somewhere else. It *can* strip the username, but there are easier ways
to do it.
You could also configure a huntgroup based on various attributes e.g.
${confdir}/huntgroups:
ethernet NAS-Port-Type == Ethernet
vpn NAS-Port-Type == Async, NAS-IP-Address == my.vpn.server.ip
${confdir}/users:
DEFAULT Huntgroup-Name == "ethernet", Autz-Type := MAC
DEFAULT Huntgroup-Name == "vpn", Autz-Type := USER
...and so on
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html