Re: Multiple Realms
Shawky Skaff wrote:
> Basically I currently have one active realm and need to have another
> realm configured onto the same radius box. For example
> dsl.example.com.au is one and voice.example.com.au is the second.
You need to configure two realms.
> How can I configure the second? I know it’s somewhat to do with
> proxy.conf file, but not sure how or where to do this.
You create another "realm" block, using the name of the second realm.
It shouldn't be hard.
realm foo {
...
}
realm bar {
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Realms per NAS
On 1/6/2010 12:13 PM, Nalin Mistry wrote:
We have just installed FreeRADIUS and have basic functionality working for ISP
and Hotspot applications.
For the ISP application, we would like to specify the realms supported on a NAS
basis. Is this feasible and how would one go about configuring it.
FreeRADIUS uses a policy language for such things, it is up to you to
write the correct policy, there are no built in methods for doing this.
Here are a couple of examples as to how you could achieve it:
If you want a local non-centralized solution then use an instance of the
files module:
raddb/modules/files
files realm_map {
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
key = "%{Client-Shortame}"
usersfile = ${confdir}/realm_map
#acctusersfile = ${confdir}/acct_users
#preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
} raddb/realm_map NASX Realm=='RealmX' Fall-Through = no NASX
Realm=='RealmY' Fall-Through = no NASY Realm=='RealmZ' Fall-Through = no
DEFAULT Auth-Type := Reject Or if you want something SQL based:
authorize {} if("%{sql:SELECT COUNT(*) FROM `my_realm_mappings` WHERE
`nas`='%{Client-Shortname}' AND `realm`='%{Realm}' LIMIT 1" != 1){
reject } -Arran
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple REALMS, multiple SQL
Great, it does the trick :) It was simplier than I thought. Another question: is it safe to write into the same sql server\database\table by 2 radius servers authenticating the same realm? -- Andrea Cerrito - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple REALMS, multiple SQL
Andrea Cerrito wrote: > How can I let the proxy write in a db just the realm DEF and GHI and ignore > the realm ABC? Do *conditional* logging to SQL. See Acct-Type, which lets you conditionally call a module. > I think it can be done in the post-proxy section of the radius.conf... But > how? Not in post-proxy. Do it in the "accounting" section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms: need help
Normando Marcolongo <[EMAIL PROTECTED]> wrote: > I would like to have freeradius behave like this: > - realm 'alwaysok' would always accept authentication > - realme 'checkthis' would always check against mysql Sure, but they're not really realms. > Is there a more elegant way of doing this? Yes. You can look for the Realm in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple realms
;username'
sql_set_user: escaped user --> 'username'
radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId,
CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol,
FramedIPAddress, AcctStartDelay, AcctStopDelay) values('', '440615203', '',
'username', 'DEFAULT', '111.222.333.444', '7', 'Async', '2004-02-23
14:51:16', '0', '0', 'RADIUS', '', '', '0', '0', '2345678901', '99',
'', 'Framed-User', 'PPP', '111.222.333.123', '0', '0')'
rlm_sql: Reserving sql socket id: 3
rlm_sql: Released sql socket id: 3
modcall[accounting]: module "sql" returns ok
modcall: group accounting returns ok
Sending Accounting-Response of id 238 to 209.16.220.24:1814
Proxy-State = 0x3538
Finished request 11
Going to the next request
Cleaning up request 11 ID 238 with timestamp 403a67c4
rl_next: returning NULL
Waking up in 6 seconds...
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:freeradius-
> [EMAIL PROTECTED] On Behalf Of Alan DeKok
> Sent: Monday, February 23, 2004 2:46 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Multiple realms
>
> "Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> > DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net"
> > In both users and acct_users
> > And I still get DEFAULT put in the realm field in my database.
>
> Then read the debug log to see where the DEFAULT realm is coming from.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote: > DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net" > In both users and acct_users > And I still get DEFAULT put in the realm field in my database. Then read the debug log to see where the DEFAULT realm is coming from. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Multiple realms
I put
DEFAULT Called-Station-Id == "2345678901", Realm := "isp1.net"
In both users and acct_users
And I still get DEFAULT put in the realm field in my database.
Should this be a REPLY?
DEFAULT Called-Station-Id == "2345678901"
Realm := "isp1.net"
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:freeradius-
> [EMAIL PROTECTED] On Behalf Of Alan DeKok
> Sent: Monday, February 23, 2004 12:38 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Multiple realms
>
> "Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> > I would like the SQL database field "realm" to properly reflect what
> > realm it is actually proxying for.
>
> Ok...
>
> > The problem is that if I put Called-Station-Id in the users file and put
> > the realm information in proxy.conf, I get an infinite loop.
>
> Of what?
>
> > users:
> >
> > DEFAULT Called-Station-Id =3D=3D "2345678901", Proxy-To-Realm :=
> > "isp1.net"
>
> Which says "PROXY THE PACKET", not "Set the Realm"
>
> Use the "Realm" attribute to set the Realm.
>
> >
> > proxy.conf:
> >
> > realm isp1.net {
> > type= radius
> > authhost = LOCAL
> > accthost = LOCAL
>
> You're trying to do RADIUS proxying to the local server. I don't
> see why.
No, I am accepting a proxy request from another server.
>
> > Any thoughts? Am I doing something wrong, or is this just something I'll
> > have to live with?
>
> Use Realm, and not Proxy-To-Realm.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple realms
"Anson Rinesmith" <[EMAIL PROTECTED]> wrote:
> I would like the SQL database field "realm" to properly reflect what
> realm it is actually proxying for.
Ok...
> The problem is that if I put Called-Station-Id in the users file and put
> the realm information in proxy.conf, I get an infinite loop.
Of what?
> users:
>
> DEFAULT Called-Station-Id =3D=3D "2345678901", Proxy-To-Realm :=
> "isp1.net"
Which says "PROXY THE PACKET", not "Set the Realm"
Use the "Realm" attribute to set the Realm.
>
> proxy.conf:
>
> realm isp1.net {
> type= radius
> authhost = LOCAL
> accthost = LOCAL
You're trying to do RADIUS proxying to the local server. I don't
see why.
> Any thoughts? Am I doing something wrong, or is this just something I'll
> have to live with?
Use Realm, and not Proxy-To-Realm.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
