Thomas Bridge <[EMAIL PROTECTED]> wrote: > Currently I have a Cisco BAS terminating broadband customers. Most of > our customers would have their PPP connection terminate on the BAS, but > I would like to forward customers who specify a specific realm onto > another BAS for another ISP. My customers are authenitcated using > CHAP off an LDAP server.
Then you want to mark proxied customers as NOT using LDAP. > If I query [EMAIL PROTECTED], I get the correct attributes back. However, if > I query [EMAIL PROTECTED], where user2 has an LDAP entry, I get the following back: Is that "user2" a user in a different realm? If so, you can key off of the realms to tell them apart. > I'm pretty certain the Cisco will not do what I want it to with the > Framed-User attribute. In anycase my question - how do I ensure > it's just tunnel property configs that are returned for this realm > even if the username exists in the NULL realm? First, if a user logs in *without* a realm, you should treat that differently than users logging in with a realm. Second, the reason "[EMAIL PROTECTED]" matches "user2" from LDAP is that it's using the Stripped-User-Name in the LDAP query. Change that to something else, and it should be better. > Am I looking at Autz-Type, or something else? You can do that too. List "ldap" in an "Autz-Type" block, and key in the "users" file off of the *other* realm names, and set "Autz-Type := LDAP". That way you can force certain realms to use LDAP, and other realms to use something else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
