Re: Multiple Realms
Shawky Skaff wrote: > Basically I currently have one active realm and need to have another > realm configured onto the same radius box. For example > dsl.example.com.au is one and voice.example.com.au is the second. You need to configure two realms. > How can I configure the second? I know it’s somewhat to do with > proxy.conf file, but not sure how or where to do this. You create another "realm" block, using the name of the second realm. It shouldn't be hard. realm foo { ... } realm bar { ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Realms per NAS
On 1/6/2010 12:13 PM, Nalin Mistry wrote: We have just installed FreeRADIUS and have basic functionality working for ISP and Hotspot applications. For the ISP application, we would like to specify the realms supported on a NAS basis. Is this feasible and how would one go about configuring it. FreeRADIUS uses a policy language for such things, it is up to you to write the correct policy, there are no built in methods for doing this. Here are a couple of examples as to how you could achieve it: If you want a local non-centralized solution then use an instance of the files module: raddb/modules/files files realm_map { # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. key = "%{Client-Shortame}" usersfile = ${confdir}/realm_map #acctusersfile = ${confdir}/acct_users #preproxy_usersfile = ${confdir}/preproxy_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } raddb/realm_map NASX Realm=='RealmX' Fall-Through = no NASX Realm=='RealmY' Fall-Through = no NASY Realm=='RealmZ' Fall-Through = no DEFAULT Auth-Type := Reject Or if you want something SQL based: authorize {} if("%{sql:SELECT COUNT(*) FROM `my_realm_mappings` WHERE `nas`='%{Client-Shortname}' AND `realm`='%{Realm}' LIMIT 1" != 1){ reject } -Arran smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple REALMS, multiple SQL
Great, it does the trick :) It was simplier than I thought. Another question: is it safe to write into the same sql server\database\table by 2 radius servers authenticating the same realm? -- Andrea Cerrito - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple REALMS, multiple SQL
Andrea Cerrito wrote: > How can I let the proxy write in a db just the realm DEF and GHI and ignore > the realm ABC? Do *conditional* logging to SQL. See Acct-Type, which lets you conditionally call a module. > I think it can be done in the post-proxy section of the radius.conf... But > how? Not in post-proxy. Do it in the "accounting" section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms: need help
Normando Marcolongo <[EMAIL PROTECTED]> wrote: > I would like to have freeradius behave like this: > - realm 'alwaysok' would always accept authentication > - realme 'checkthis' would always check against mysql Sure, but they're not really realms. > Is there a more elegant way of doing this? Yes. You can look for the Realm in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple realms
;username' sql_set_user: escaped user --> 'username' radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '440615203', '', 'username', 'DEFAULT', '111.222.333.444', '7', 'Async', '2004-02-23 14:51:16', '0', '0', 'RADIUS', '', '', '0', '0', '2345678901', '99', '', 'Framed-User', 'PPP', '111.222.333.123', '0', '0')' rlm_sql: Reserving sql socket id: 3 rlm_sql: Released sql socket id: 3 modcall[accounting]: module "sql" returns ok modcall: group accounting returns ok Sending Accounting-Response of id 238 to 209.16.220.24:1814 Proxy-State = 0x3538 Finished request 11 Going to the next request Cleaning up request 11 ID 238 with timestamp 403a67c4 rl_next: returning NULL Waking up in 6 seconds... > -Original Message- > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Monday, February 23, 2004 2:46 PM > To: [EMAIL PROTECTED] > Subject: Re: Multiple realms > > "Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > > DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net" > > In both users and acct_users > > And I still get DEFAULT put in the realm field in my database. > > Then read the debug log to see where the DEFAULT realm is coming from. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net" > In both users and acct_users > And I still get DEFAULT put in the realm field in my database. Then read the debug log to see where the DEFAULT realm is coming from. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple realms
I put DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net" In both users and acct_users And I still get DEFAULT put in the realm field in my database. Should this be a REPLY? DEFAULT Called-Station-Id == "2345678901" Realm := "isp1.net" > -Original Message- > From: [EMAIL PROTECTED] [mailto:freeradius- > [EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Monday, February 23, 2004 12:38 PM > To: [EMAIL PROTECTED] > Subject: Re: Multiple realms > > "Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > > I would like the SQL database field "realm" to properly reflect what > > realm it is actually proxying for. > > Ok... > > > The problem is that if I put Called-Station-Id in the users file and put > > the realm information in proxy.conf, I get an infinite loop. > > Of what? > > > users: > > > > DEFAULT Called-Station-Id =3D=3D "2345678901", Proxy-To-Realm := > > "isp1.net" > > Which says "PROXY THE PACKET", not "Set the Realm" > > Use the "Realm" attribute to set the Realm. > > > > > proxy.conf: > > > > realm isp1.net { > > type= radius > > authhost = LOCAL > > accthost = LOCAL > > You're trying to do RADIUS proxying to the local server. I don't > see why. No, I am accepting a proxy request from another server. > > > Any thoughts? Am I doing something wrong, or is this just something I'll > > have to live with? > > Use Realm, and not Proxy-To-Realm. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > I would like the SQL database field "realm" to properly reflect what > realm it is actually proxying for. Ok... > The problem is that if I put Called-Station-Id in the users file and put > the realm information in proxy.conf, I get an infinite loop. Of what? > users: > > DEFAULT Called-Station-Id =3D=3D "2345678901", Proxy-To-Realm := > "isp1.net" Which says "PROXY THE PACKET", not "Set the Realm" Use the "Realm" attribute to set the Realm. > > proxy.conf: > > realm isp1.net { > type= radius > authhost = LOCAL > accthost = LOCAL You're trying to do RADIUS proxying to the local server. I don't see why. > Any thoughts? Am I doing something wrong, or is this just something I'll > have to live with? Use Realm, and not Proxy-To-Realm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html