(RADIATOR) SnmpgetProg and DefaultRealms

Thu Feb 27 15:36:15 CST 2003

Hello Jeremy -

The way to deal with this situation is to add a column to the session 
database to contain the rewritten username in addition to the original 
username. Then you can do your session limit checking on the rewritten 
username, and the NAS query can continue to use the original username.

BTW - some NAS's will accept the rewritten username in a User-Name 
attribute in the access accept, or you could also use the Class 
attribute for the same purpose.

regards

Hugh

On Friday, Feb 28, 2003, at 08:23 Australia/Melbourne, Jeremy Hinton 
wrote:

> Hugh & Mike,
>
> 	While working on locking down multiple logins recently, i noticed an 
> interesting situation. I have a default realm of visi.net, so logging 
> in as bob and bob at visi.net are treated the same. I log into the server 
> as bob. i then try to log in to the server as bob at visi.net. Now, i can 
> tailor my SQL lookups to catch this multiple login no problem. 
> *However*, when the NAS itself gets queried with the SnmpgetProg, it 
> only checks against what the term server responds with, which may or 
> may not include the realm. Now, i made a quick hack to the Bay.pm 
> module to auto add my default realm to both the result and the 
> username if no realm is specified, but it was a quick and dirty hack 
> hard-coding my realm.  Maybe i'm missing some way to do this already, 
> but i couldn't find it. I suppose this would be a feature request then 
> :).  At any rate, heres my quick patch:
>
> bash-2.05# diff -C1 Bay.pm Bay.pm.old
> *** Bay.pm      Thu Feb 27 16:01:28 2003
> --- Bay.pm.old      Sun Mar 24 18:10:51 2002
> ***************
> *** 28,34 ****
>       {
> !         my $match = $1;
> !         $match .= "\@visi.net" unless ($match =~ /\@/);
> !         $name .= "\@visi.net" unless ($name =~ /\@/);
> !
> !         return $match eq $name;
>       }
> --- 28,30 ----
>       {
> !       return $1 eq $name;
>       }
>
> - jeremy
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.