Re: realm question
Hi,
Can I strip the idm/something/ somehow?
sure. a simple strip in the config would work...
or unlang of course.
eg in radiusd.conf
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite remove-junk {
attribute = Stripped-User-Name
searchfor = /idm\/something\/
searchin = packet
new_attribute = no
replacewith =
}
then in sites-enabled/default (or usual server) add
copy.user-name
remove-junk
in the authorize section alongside prefix, suffix, ntrealm etc
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question
Hmmm this might be overly complicated but you could configure realm1 to proxy back to yourself, stripping the realm, then configure each of the other two as local realms? I imagine there must be a nicer way... Alex On 20/08/07, Jeff Crowe [EMAIL PROTECTED] wrote: Hi all, Sorry if this question has been answered (I did search the archives and google to no avail): I have subscribers that connect with 2 realms as the prefix. How do I strip both and just authenticate locally? IE: username: realm1/realm2/username or realm1/realm3/username. Realm1 will always be present followed by either realm2 or realm3 (no others). Thanks, Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Realm question..
Is there a way of getting radius to authenicate on the username before the @ sign and ignore the realm? Yes, but you have to edit the users file to get rid of the @realm portion, and configure the realms as LOCAL ones. The object is to not to have to configure any realms as local. So that Radius will try to auth any realm that isn't to be proxied. If I have a user whose username is [EMAIL PROTECTED] I can easily specify arealm.com as local. But if by mistake the user types the username as [EMAIL PROTECTED] auth will just fail because the realm isn't specified in proxy.conf. What does debugging mode say? Exactly what you'd expect it to say if the realm isn't in proxy.conf: # rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, length=68 User-Name = [EMAIL PROTECTED] User-Password = acc355 NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: Looking up realm arealm.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm arealm.com modcall[authorize]: module suffix returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 2 modcall[authorize]: module files returns notfound for request 2 modcall: group authorize returns ok for request 2 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/acc355] (from client localhost port 1645) Delaying request 2 for 1 seconds Finished request 2 ## The user doesn't exist as the entry in users just has the username as user1 and the request is sending [EMAIL PROTECTED] I want radius to first check to see if the request needs to be proxied. If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username. Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
TS [EMAIL PROTECTED] wrote: The object is to not to have to configure any realms as local. That conflicts directly with your requirement to allow users to log in as user or [EMAIL PROTECTED]. If I have a user whose username is [EMAIL PROTECTED] I can easily specify arealm.com as local. But if by mistake the user types the username as [EMAIL PROTECTED] auth will just fail because the realm isn't specified in proxy.conf. Then you can't use realms. You've got to configure a module to strip out everything after the @ sign. The 'realms module, and proxy.conf are meant to deal with known realms. If you want to deal with unknown realms, you have to use something else. If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username. Then configure it to do that, but you can't use realms. You'll have to use another module to re-write the username for the packets that aren't proxied. The simplest thing for you to do might be to create a wildcard realm by modifying rlm_realm. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
On Tuesday 25 April 2006 01:43, TS wrote: What does debugging mode say? Exactly what you'd expect it to say if the realm isn't in proxy.conf: # rad_recv: Access-Request packet from host 127.0.0.1:33499, id=115, length=68 User-Name = [EMAIL PROTECTED] User-Password = acc355 ... The user doesn't exist as the entry in users just has the username as user1 and the request is sending [EMAIL PROTECTED] The original users example you posted had the username of [EMAIL PROTECTED] with a password of secret. Here you say the users file has just user1. Which is correct? I want radius to first check to see if the request needs to be proxied. It will do this if you have a realm module listed in the authorize section. The suffix realm module is listed in the default config. If not then authenticate it locally no matter what the realm is but before authenticating it strip off the realm and just use everything before the @ sign as the username. Alan's hint to use LOCAL is still correct. If you know the realms people will be using, you can list them in the proxy.conf file. If you want to catch any realm not already defined and send that to local auth, that is pretty easy to accomplish. Please read doc/proxy for a better understanding of how realms work with proxying, and also how the 2 special realms work. If you're still stumped, post back with your questions. Kevin Bonner pgpQo5jKw4rh6.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm question..
TS [EMAIL PROTECTED] wrote: Is there a way of getting radius to authenicate on the username before the @ sign and ignore the realm? Yes, but you have to edit the users file to get rid of the @realm portion, and configure the realms as LOCAL ones. Obviously if the realm is one that we proxy then it should be proxied as such and any that aren't in the proxy.conf file authenticated locally. That's what LOCAL is for. See proxy.conf. I've tried adding strip to the LOCAL entry in proxy.conf and also just adding the entry: ... to the radius users file but it won't authenticate. What does debugging mode say? What has to be updated in the documentation to convince people to run the server in debugging mode, and to read the output? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
jesk [EMAIL PROTECTED] wrote: am i right, that there is no way to do it? Yes, there is. See the realms module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realm question
On Thursday 13 May 2004 09:19, jesk wrote: hi again, i got a username with realms like this: realm1/foobar%realm2 is there a way to use realm2 as proxy realm local and get realm1 stripped away? i dont want realm1 for authorizing, authentication and accounting. thanks in advance, christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html am i right, that there is no way to do it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
