> [EMAIL PROTECTED] Auth-Type := Local
> Framed-IP-Address = 1.2.3.4
>
> [EMAIL PROTECTED] Auth-Type := Local
> Framed-IP-Address = 2.3.4.5
>
> [EMAIL PROTECTED] Auth-Type := Reject
>
Ok, I came up with a solution to my problem (authorising SecurID users for
multiple VPNs). I'm not sure that this is the best way to do it, so if anyone
can suggest something better then I'd be very grateful to hear from you.
I'm now using hints instead of realms for the username, so I've added the
following to my hints file -
DEFAULT Suffix = ".client1", Strip-User-Name = Yes
Hint = "client1"
DEFAULT Suffix = ".cust2", Strip-User-Name = Yes
Hint = "client2"
and in my users file -
test Auth-Type := Local, Hint == "client1", Proxy-To-Realm := "client1"
Reply-Message = "test.client1"
test Auth-Type := Reject, Hint == "client2"
Reply-Message = "test.client2 rejected"
So now the user logs in with username test.client1, the suffix is stripped and
replaced with a hint by the hints file, and the users file finds the user based
on their hint. I appreciate that the client2 example above isn't absolutely
necessary since FreeRADIUS will reject the user if there's no matching user
account further down the file, but I'd reject the user explicitly to be sure.
Could someone please confirm if the following (from doc/proxy) is true though,
because my experience showed that the username was stripped by the realms
module and that after proxy/realm auth the full username was lost. Anyone care
to comment?
> Then the users file is processed as usual. The username used at
> this point is the one after hints file processing (regardless of
> the "hints" option). It also includes the realm (regardless of the
> setting of the "nostrip" option) unless the realm is LOCAL.
Regards,
Mike Smith
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
