(RADIATOR) AuthUNIX/FILE Authentication and realms.

Hugh Irvine hugh at open.com.au
Fri Sep 14 03:33:16 CDT 2001 

Hello Paul -

On Thursday 13 September 2001 13:42, Paul Rolfe wrote:
> Is it possible to get Radiator to authenticate based on username only, even
> if the username is rewritten to include the realm?  (it is required that we
> rewrite to include the realm as our radius supports over 8 different
> "providers" and we need to be able to account for them all based on
> username at realm, we also use Called-Station-Id to map to some realms)
>
> All other realms are working fine as they authenticate from a custom built
> authentication module which looks after this, however the below needs to be
> authenticated in the following manner.
>
> I need to be able to authenticate based on the username portion only (for
> the AuthUNIX/FILE), but to use the rewritten realm for accounting and
> session database entries.
>
> Ideas? What am I missing?
>
>
> If I add RewriteUsername s/^([^@]+).*/$1/ immediately after the <Authby
> GROUP>, then authentication works.  UsernameMatchesWithoutRealm doesn't
> seem to work.
>
> I've also tried writing seperate handlers for Authentication and
> Accounting, but the problem then arises, that I can't manage the session
> database (SQL) correctly with the realms.
>
>
> <Handler Realm=SOUTHWEST.COM.AU>
>          RewriteUsername tr/A-Za-z0-9_@\.-//cd
>          RewriteUsername s/^([^@]+).*/$1/
>          RewriteUsername s/^(.*)/$1\@southwest.com.au/
>          RewriteUsername s/^([^@]+)(.*)/lc($1).uc($2)/e
>          <AuthBy GROUP>
>                  UsernameMatchesWithoutRealm
>                  AuthByPolicy ContinueWhileAccept
>                  <AuthBy FILE>
>                          UsernameMatchesWithoutRealm
>                          Filename %D/users
>                          RejectEmptyPassword
>                  </AuthBy>
>                  <AuthBy UNIX>
>                          UsernameMatchesWithoutRealm
>                          Identifier Unix
>                          Filename /etc/passwd
>                          GroupFilename /etc/group
>                          RejectEmptyPassword
>                  </AuthBy>
>          </AuthBy>
>          PostAuthHook file:"/etc/radiusd/radius.call"
>          AcctLogFileName /var/adm/radacct/%C/detail
>          AccountingHandled
> </Handler>
>

Can you please send me a trace 4 showing what is happening?

And what version of Radiator are you running?

BTW - I don't think the AuthByPolicy shown above is correct, as both AuthBy 
clauses will have to accept - but maybe that is what you want?

thanks

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list