(RADIATOR) RewriteUsername statements

Hugh Irvine hugh at open.com.au
Thu Jun 8 09:39:18 CDT 2006 

Hello Mike -

You would normally use a DefaultRealm in your Client clauses to add  
the correct Realm to usernames without them, then use different Realm  
clauses like this:


# define Client clauses with DefautRealm

<Client 1.1.1.1>
	......
	DefaultRealm domain1.net
</Client>

.....

<Client n.n.n.n>
	......
	DefaultRealm domain1.net
</Client>

<Client 3.3.3.3>
	......
	DefaultRealm domain2.net
</Client>

.....

<Client m.m.m.m>
	......
	DefaultRealm domain2.net
</Client>

.....

<Realm domain1.net>
	......
</Realm>

<Realm domain2.net>
	.....
</Realm>

.......


Of course you should always test thoroughly on a test server before  
changing a production server.

hope that helps

regards

Hugh


On 8 Jun 2006, at 07:09, Mike Gomez wrote:

> Hi there,
>
> I've been looking through the radiator reference manual on doing some
> rewriteusername commands, and just wanted to get the list's opinion  
> on if I'm
> going to be implementing this correctly.  Here's my current config  
> file:
>
> <Client DEFAULT>
> IgnoreAcctSignature
>         Secret  xxxxxxxx
>         DupInterval 0
> </Client>
> <SessionDatabase SQL>
> Identifier InSQL
> DBSource dbi:mysql:radius:xxxxxxxx
>        DBUsername xxxxxx
>        DBAuth xxxxxx
>       </SessionDatabase>
> <Realm DEFAULT>
> RewriteUsername s/^([^@]+)$/$1\@domain1.net/
> <AuthBy SQL>
>         DBSource dbi:mysql:radius:xxxxxxx
>           DBUsername xxxxxx
>              DBAuth xxxxxx
> AuthSelect select PASSWORD,CHECKATTR,REPLYATTR \
>         from SUBSCRIBERS \
>                 where USERNAME = '%n'
>
> #AddToReply Service-Type = Framed-User, \
> #Framed-Protocol = PPP
> AccountingTable ACCT%Y%m
>                 AcctColumnDef    USERNAME,User-Name
>                 AcctColumnDef    TIME_STAMP,Timestamp,integer-date
>                 AcctColumnDef    ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef    ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef    ACCTINPUTOCTETS,Acct-Input- 
> Octets,integer
>                 AcctColumnDef    ACCTOUTPUTOCTETS,Acct-Output- 
> Octets,integer
>                 AcctColumnDef    ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef    ACCTSESSIONTIME,Acct-Session- 
> Time,integer
>                 AcctColumnDef    ACCTTERMINATECAUSE,Acct-Terminate- 
> Cause
>                 AcctColumnDef    ACCTTERMINATECAUSE,Ascend- 
> Disconnect-Cause
>                 AcctColumnDef    NASPORT_TYPE,NAS-Port-Type
>                 AcctColumnDef    NASADDRESS,NAS-IP-Address
>                 AcctColumnDef    FRAMEDADDRESS,Framed-IP-Address
>                 AcctColumnDef    NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef    NASPORT,NAS-Port,integer
>                 AcctColumnDef    USRCONSPEED,Connect-Speed
>                 AcctColumnDef    USRCONSPEED,Connect-Info
>                 AcctColumnDef    MODULATION,Modulation-Type
>                 AcctColumnDef    CSI,Calling-Station-Id
>
>
>         </AuthBy>
>         # Log accounting to a detail file
>         AcctLogFileName ./detail
> </Realm>
>
> As you can see, I've got the RewriteUsername s/^([^@]+)$/$1 
> \@domain1.net/
> under <Realm DEFAULT>.  What's happening is I've got a second set  
> of modem
> pools (from a different domain) that I'm going to be switching to  
> our radius
> server here soon.  So, I need a different rewrite username statement
> (RewriteUsername s/^([^@]+)$/$1\@domain2.net/) to apply to requests  
> only from
> that second group of modem pools.  Can I use something like:
>
> <Client "IP of first modem pool">
> IgnoreAcctSignature
>         Secret  xxxxxxxx
> IdenticalClients "IP of second modem pool"
> IdenticalClients "IP of third modem pool"
> RewriteUsername s/^([^@]+)$/$1\@domain2.net/
> </Client>
>
> or would the rewriteusername statement under <Realm DEFAULT>  
> override that?  I
> just wanted to get opinions on it before I start messing with a  
> production
> system. ;)
>
> Thanks!
> -- 
> Mike Gomez
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


NB: I am travelling this week, so there may be delays in our  
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list