From: "Alan DeKok" <al...@deployingradius.com>
"If you want to check the stripped user name... then use it."
How can I control this? I am assuming you are referring to proxy.con realm
configuration?
"Why you ask?"
The 'powers that be' have declared that the same userid may log in via
multiple realms (access technologies) up to a certain connection limit.
So u...@realm1 and u...@realm2 count as 2 connections for user. In their
original form, radius would view them as two distinct userids.
I need the form 'u...@realm' for authentication right after the
simultaneous-use check.
How, specifically, can I get the Simultaneous-Use function to use the
Stripped-User-Name (proxy.conf)? and yet use the original User-Name for the
remainder of the processing? (I have seen references to variable in some
cases having a form of %{prefix:User-Name} but am unclear of how/where that
can/should be used.
I have searched the internet, the docs available, and some of the source
code in attempting to understand freeradius, only posting questions when I
am truly puzzled. Indications of "how" to do (or NOT do) something are most
appreciated. This is a significant upgrade effort, and I'm ok with
re-designing how things are achieved, if I can determine WHAT the 'best way'
should be. I have NO control over the rules that apply to users and
accounts in the real world. (I especially love when they CONTRADICT! -
Marketing...)
Thanks,
-craig
----- Original Message -----
From: "Alan DeKok" <al...@deployingradius.com>
To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Sent: Thursday, September 10, 2009 4:16 AM
Subject: Re: Checkrad / Simultaneous-Use clarification please
Craig Campbell wrote:
We currently have users that log in both with and without realms.
Well... then you have to manage that.
In radutmp we log the stripped username (i.e. no realm component).
Why?
Since the radutmp data has no realm part for the username, how do I get
the Simultaneous-Use code to check the username without the realm
component? Currently the realm portion is carried through until the
accounting processing (for radutmp).
I don't understand. You give radutmp a stripped user name, but you
don't give the session checking a stripped user name?
If you want to check the stripped user name... then use it.
If I understand correctly, f...@comfort will pass Sinultaneous-Use
because radutmp is logging these as just "fred".
Yes. Because you told it to treat them as different users.
If you want the simultaneous checking to check the stripped user name,
then strip the user name...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Information from ESET Smart Security, version of virus
signature database 4412 (20090909) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature
database 4412 (20090909) __________
The message was checked by ESET Smart Security.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html