On Tue, Apr 27, 2004 at 01:13:19PM -0400, Alan DeKok wrote: > Thomas Bridge <[EMAIL PROTECTED]> wrote:
> > Currently I have a Cisco BAS terminating broadband customers. Most of > > our customers would have their PPP connection terminate on the BAS, but > > I would like to forward customers who specify a specific realm onto > > another BAS for another ISP. My customers are authenitcated using > > CHAP off an LDAP server. > Then you want to mark proxied customers as NOT using LDAP. I used to do Auth-Type := LDAP for customers - however, I had to stop doing this in order to support CHAP. Is there something obvious in the users file I am missing? > > If I query [EMAIL PROTECTED], I get the correct attributes back. However, if > > I query [EMAIL PROTECTED], where user2 has an LDAP entry, I get the following back: > Is that "user2" a user in a different realm? If so, you can key off > of the realms to tell them apart. If the realm is specified, then yes it would be - bear in mind I do not want to authorize the customer - I simply want to pass the PPP session through to a remote LNS and leave it to the LNS configuration to determine whether or not to authorize the customer. > > I'm pretty certain the Cisco will not do what I want it to with the > > Framed-User attribute. In anycase my question - how do I ensure > > it's just tunnel property configs that are returned for this realm > > even if the username exists in the NULL realm? > First, if a user logs in *without* a realm, you should treat that > differently than users logging in with a realm. > Second, the reason "[EMAIL PROTECTED]" matches "user2" from LDAP is that > it's using the Stripped-User-Name in the LDAP query. Change that to > something else, and it should be better. The problem I am facing though is that customers can log in with a NULL realm or our own Realm. > > Am I looking at Autz-Type, or something else? > You can do that too. List "ldap" in an "Autz-Type" block, and key > in the "users" file off of the *other* realm names, and set "Autz-Type > := LDAP". That way you can force certain realms to use LDAP, and > other realms to use something else. Okay I'll look into this, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
