> Message: 1 > Date: Sat, 31 Mar 2007 18:11:46 +0200 > From: Alexander Papenburg <[EMAIL PROTECTED]> > Subject: add realm to user based on NAS-IP > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-15; format=flowed > > Hi all, > > i wonder if it is possible to add a realm to a username based on the > NAS-IP the request come from. > For instance: > - user "abc" logs on router 10.0.0.1 > > - router 10.0.0.1 asks a freeradius proxy for user "abc" > > - freeradius-proxy recognize the ip and add "@realm" to the username and > proxy the request to another freeradius-server based on "realm"-entry > in proxy.conf > > Unfortunatly I found many "solutions" in the past 2 hours (like > proxy-to-realm, attr_rewrite, hints...), I cant't decide which is the > right one for me. %) So help would be much appreciated. > > > Thanks in advance > > Alexander > > >
If your using eap, you can't rewrite the username as then the username in the outer identity won't match the one in the eap tunnel and eap message will be rejected by your radius home server. Unless at your home server you strip the realm part of the user-name attribute off again Your best bet for this is to use the users file and the proxy-to-realm 'check-item'. so you'd have in the users file on your proxying radius server DEFAULT NAS-IP-Address == 10.0.0.1, Proxy-To-Realm = "MyRealm" User-Name = "[EMAIL PROTECTED]" Then add these to your hints file on your home radius server (though you may have to rewrite them depending on the regex engine your home server is using). # Writes stripped username to use in authorization (user@|%|/domain) DEFAULT User-Name =~ "^([[:alnum:]]*)(@|%|/)([[:alnum:].]*)$" User-Name = "%{1}" # Wrties alternate stripped username to use in authorization (domain\\user) DEFAULT User-Name =~ "^([[:alnum:].]*)\\\\\\\\([[:alnum:]]*)$" User-Name = "%{2}" Hope this helps :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html