Hello Kevin -
On Wed, 03 Nov 1999, Kevin Fowler wrote:
> Hello,
> We have multiple groups of customers authenticating out of multiple
> databases with some of the usernames being the same. They need to be
> able to authenticate with realms and without realms. The problem is with
> the SessionDatabase. All of the following example username and password
> pairs need to work correctly from the same radius server:
>
> [EMAIL PROTECTED]
> password1
>
> user1
> password1
>
> [EMAIL PROTECTED]
> password2
>
> user1
> password2
>
> I accomplished this by setting up a realm for dom1.com and
> dom2.com. They each use a different database of users. If no realm is
> specified then I have two AuthBy clauses to attempt to authenticate off of
> each of the two databases. The AuthByPolicy is set to
> ContinueUntilAccept. So the same username could log on with different
> passwords depending on what database they are in.
> The authentication works great the problem is with the
> SessionDatabase. If they authenticated with the dom1.com realm then it
> sends [EMAIL PROTECTED] to the RADONLINE table. If they authenticate without
> a realm then it just send user1 to the table. This stops the other user1
> from being able to log on. What I would prefer is a way to append
> @dom1.com to the username if they are in the first database and @dom2.com
> to the username if they are in the second database. We tried the
> RewriteUsername method but it will not work because you can't rewrite the
> username within each AuthBy clause. We also tried having different
> SessionDatabases but again you can't specify a different SessionDatabase
> per AuthBy clause only per Realm.
> Let me know if anyone has an idea of a better way to do this or if
> anyone had a solution to the way I am trying to do it. Thanks in advance
> for any help. At the bottom I have included an example of my config file.
>
The two solutions that I can see are:
1. If you can identify the user by the NAS they dial in to, you can set a
DefaultRealm:
# This Client is used by dom1 users
<Client ....>
DefaultRealm dom1.com
...
</Client>
# This Client is used by dom2 users
<Client ....>
DefaultRealm dom2.com
...
</Client>
2. Set up a PreClientHook to rewite the username prior to it being inserted in
the SessionDatabase.
In both cases, you would then only need the two specific Realm clauses.
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
