Alan- I did think of a way out of this; Accomplish 'realmlike' functionality with attr_rewrite, because the radius server I proxy to is under my control as well.
user example: mdhare_(dept) on 'master' radius server (one that all requests are proxied through) attr_rewrite force_username { attribute = User-Name searchin = packet searchfor = "_[a-z]+" replacewith = "" append = no new_attribute = no max_matches = 1 } My understanding is that the User-Name attribute will be rewritten by the proxy for auth but the proxier will still match on the original. Not very intuitive but easier than a server per realm. -Michael Michael Hare wrote: > Alan- > > Thanks for your time. > >> When you're processing the "users" file after proxying, the user name >> is the *stripped* name, i.e. without the realm. > > Ok, this corresponds more with what I see than that wiki link I sent > you. When I supply the original username '[EMAIL PROTECTED]', entry #2 [see > immediately below] is the one that matches after the proxy. > > mdhare Realm == "test" > Framed-IP-Address = 146.151.211.254 > > mdhare > Framed-IP-Address = 146.151.211.254 > > However, I'd like to provide a different Framed-IP-Address based on the > supplied realm. The goal that we are trying to implement are IP groups > in a VPN server. I'm trying to hammer this out with radius because I > don't want a vendor specific solution. Can you think of a creative way > to provide a Framed-IP-Address on the local server based on realm with > Freeradius 1.x code? To be more specific, lets say that I belong to > three departments. I may have multiple logins '[EMAIL PROTECTED]', > '[EMAIL PROTECTED]', and '[EMAIL PROTECTED]' that would hand back different > IPs > but auth with the same central DB. > > It looks like I could setup a new radius server to proxy to for each > individual realm [since I can guarantee unique username per realm] but > that could be a LOT of realms [one for each dept that wants to > participate, which may be dozens]. > >> That will change in 2.0, when it's released. The "users" file should >> ONLY be processed before proxying, not after. > > When 2.0 comes out, will this mean that I will be able to match on the > realm in the users file and provide the Framed-IP-Address with a format > like the below? > > [EMAIL PROTECTED] > Framed-IP-Address = 146.151.211.254 > >> Go back and read the "users" file. The debug log shows it matching on >> line 84, are you *sure* that the "mdhare" entries are before that? > > I think that the match on line 84 of the debug was for the attrs filter. > I don't fully understand how this may be applicable to the question. > Is there some interaction that I don't understand, or was your > suggestion in err? > > -Michael > -- =======================W=== Michael Hare UW-Madison + WiscNet Network Engineering Desk: 608-262-5236 24 Hr Noc: 608-263-4188 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html