Thank you Fajar. I added additional argument to the lib pam radius like "realm=192.168.100.10" and this realm is appended to the user like u...@192.168.100.10. This solved my problem.
Regards, Sri. On Thu, Feb 11, 2010 at 5:20 PM, <sr...@aol.in> wrote: > Now the problem is how to identify a user like root have same name on > multiple machines. > For this I observed that this PAM library is sending > Calling-Station-Id in Access-Request packets. > I did modify my radcheck table to have entires as following: > +----+-----------+--------------------+----+----------------+ > | id | UserName | Attribute | op | Value | > +----+-----------+--------------------+----+----------------+ > | 1 | linuxuser | Password | == | radpwd | > | 12 | root | Calling-Station-Id | == | 192.168.100.61 | > | 11 | root | Password | == | 10radpwd | > | 10 | root | Password | == | 61radpwd | > | 13 | root | Calling-Station-Id | == | 192.168.70.10 | > +------------------------------------------------------------------------------ > > But the failed to authenticate. That won't work. You're NOT supposed to have different password for the same user name. When using a centralized authentication (radius, LDAP, Active Directory, whatever), a user will use the same password regardless of other attributes (like Calling-Station-Id). That being said, freeradius is highly customizable. You could, for example, use unlang to modify the username to became "r...@192.168.100.10". See http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00389.html and http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00468.html for example. It does the reverse of what you're trying to do, but you can look at the example to see how you could modify the value of User-Name in request attribute. Another approach would be to use a custom user table (adding another column, CallingStationId), plus modify queries in dialup.conf so it says "WHERE username = '%{SQL-User-Name}' AND CallingStationId='%{Calling-Station-Id}'" instead of just "WHERE username = '%{SQL-User-Name}' ". Your table would then look something like this +----+-----------+--------------------+----+----------------+---------------------------------+ | id | UserName | Attribute | op | Value | CallingStationId | +----+-----------+--------------------+----+----------------+---------------------------------+ | 11 | root | Password | == | 10radpwd | 192.168.100.10 | | 10 | root | Password | == | 61radpwd | 192.168.100.61 | but with this method you need to define ALL calling-station-id and their corresponding passwords. I consider this a hack though. You should avoid this unless you ABSOLUTELY know what you're doing, as you're unlikely to get help from others if you experience problems due to this "hack". -- Fajar -----Original Message----- From: sr...@aol.in To: freeradius-users@lists.freeradius.org Sent: Thu, 11 Feb 2010 3:50 pm Subject: radius for linux authentication Hi List, I have configured my linux devices to use freeRadius (freeRadius 1.1.5 with MySQL backend) authentication. Installation of pam library went well and am able to get authenticated against my freeRadius server. Now the problem is how to identify a user like root have same name on multiple machines. For this I observed that this PAM library is sending Calling-Station-Id in Access-Request packets. I did modify my radcheck table to have entires as following: +----+-----------+--------------------+----+----------------+ | id | UserName | Attribute | op | Value | +----+-----------+--------------------+----+----------------+ | 1 | linuxuser | Password | == | radpwd | | 12 | root | Calling-Station-Id | == | 192.168.100.61 | | 11 | root | Password | == | 10radpwd | | 10 | root | Password | == | 61radpwd | | 13 | root | Calling-Station-Id | == | 192.168.70.10 | +------------------------------------------------------------------------------ But the failed to authenticate. Please suggest what could be the problem, ASAP. Also, are there any other ways to handle this kind of situation. Appreciate your help. Regards, Sri.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html