On Thu, Feb 11, 2010 at 5:20 PM, <[email protected]> wrote: > Now the problem is how to identify a user like root have same name on > multiple machines. > For this I observed that this PAM library is sending > Calling-Station-Id in Access-Request packets. > I did modify my radcheck table to have entires as following: > +----+-----------+--------------------+----+----------------+ > | id | UserName | Attribute | op | Value | > +----+-----------+--------------------+----+----------------+ > | 1 | linuxuser | Password | == | radpwd | > | 12 | root | Calling-Station-Id | == | 192.168.100.61 | > | 11 | root | Password | == | 10radpwd | > | 10 | root | Password | == | 61radpwd | > | 13 | root | Calling-Station-Id | == | 192.168.70.10 | > +------------------------------------------------------------------------------ > > But the failed to authenticate.
That won't work. You're NOT supposed to have different password for the same user name. When using a centralized authentication (radius, LDAP, Active Directory, whatever), a user will use the same password regardless of other attributes (like Calling-Station-Id). That being said, freeradius is highly customizable. You could, for example, use unlang to modify the username to became "[email protected]". See http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00389.html and http://lists.freeradius.org/pipermail/freeradius-users/2010-January/msg00468.html for example. It does the reverse of what you're trying to do, but you can look at the example to see how you could modify the value of User-Name in request attribute. Another approach would be to use a custom user table (adding another column, CallingStationId), plus modify queries in dialup.conf so it says "WHERE username = '%{SQL-User-Name}' AND CallingStationId='%{Calling-Station-Id}'" instead of just "WHERE username = '%{SQL-User-Name}' ". Your table would then look something like this +----+-----------+--------------------+----+----------------+---------------------------------+ | id | UserName | Attribute | op | Value | CallingStationId | +----+-----------+--------------------+----+----------------+---------------------------------+ | 11 | root | Password | == | 10radpwd | 192.168.100.10 | | 10 | root | Password | == | 61radpwd | 192.168.100.61 | but with this method you need to define ALL calling-station-id and their corresponding passwords. I consider this a hack though. You should avoid this unless you ABSOLUTELY know what you're doing, as you're unlikely to get help from others if you experience problems due to this "hack". -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
