(RADIATOR) RewriteUsername statements
Hugh Irvine
hugh at open.com.au
Thu Jun 8 22:28:03 CDT 2006
Hello Mike -
The DefaultRealm will add the suffix to the username, therefore the
username
mgomez
will be changed to
mgomez at domain1.net
if it passes through a Client clause with
DefaultRealm domain1.net
which will then be matched by this Realm
<Realm domain1.net>
.....
</Realm>
You should do some testing in a test environment running Radiator at
trace 4 debug so you can see what is happening.
regards
Hugh
On 8 Jun 2006, at 08:01, Mike Gomez wrote:
> So....I'd need to have something like this?
>
>
> <Client "IP of first modem pool from first domain">
> IdenticalClients "IP of second modem pool from first domain"
> IdenticalClients "IP of third modem pool from first domain"
> IgnoreAcctSignature
> Secret xxxxxxxx
> DupInterval 0
> DefaultRealm domain1.net
> </Client>
>
> <Client "IP of first modem pool from second domain">
> IgnoreAcctSignature
> Secret xxxxxxxx
> IdenticalClients "IP of second modem pool from second domain"
> IdenticalClients "IP of third modem pool from second domain"
> DefaultRealm domain2.net
> </Client>
>
> <SessionDatabase SQL>
> Identifier InSQL
> DBSource dbi:mysql:radius:xxxxxxxx
> DBUsername xxxxxx
> DBAuth xxxxxx
> </SessionDatabase>
>
> <Realm domain1.net>
> RewriteUsername s/^([^@]+)$/$1\@domain1.net/
> <AuthBy SQL>
> DBSource dbi:mysql:radius:xxxxxxx
> DBUsername xxxxxx
> DBAuth xxxxxx
> AuthSelect select PASSWORD,CHECKATTR,REPLYATTR \
> from SUBSCRIBERS \
> where USERNAME = '%n'
>
> #AddToReply Service-Type = Framed-User, \
> #Framed-Protocol = PPP
> AccountingTable ACCT%Y%m
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer-date
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-
> Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-
> Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-
> Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-
> Cause
> AcctColumnDef ACCTTERMINATECAUSE,Ascend-
> Disconnect-Cause
> AcctColumnDef NASPORT_TYPE,NAS-Port-Type
> AcctColumnDef NASADDRESS,NAS-IP-Address
> AcctColumnDef FRAMEDADDRESS,Framed-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef USRCONSPEED,Connect-Speed
> AcctColumnDef USRCONSPEED,Connect-Info
> AcctColumnDef MODULATION,Modulation-Type
> AcctColumnDef CSI,Calling-Station-Id
>
>
> </AuthBy>
> # Log accounting to a detail file
> AcctLogFileName ./detail
> </Realm>
>
> <Realm domain2.net>
> RewriteUsername s/^([^@]+)$/$1\@domain2.net/
> <AuthBy SQL>
> DBSource dbi:mysql:radius:xxxxxxx
> DBUsername xxxxxx
> DBAuth xxxxxx
> AuthSelect select PASSWORD,CHECKATTR,REPLYATTR \
> from SUBSCRIBERS \
> where USERNAME = '%n'
>
> #AddToReply Service-Type = Framed-User, \
> #Framed-Protocol = PPP
> AccountingTable ACCT%Y%m
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer-date
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-
> Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-
> Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-
> Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-
> Cause
> AcctColumnDef ACCTTERMINATECAUSE,Ascend-
> Disconnect-Cause
> AcctColumnDef NASPORT_TYPE,NAS-Port-Type
> AcctColumnDef NASADDRESS,NAS-IP-Address
> AcctColumnDef FRAMEDADDRESS,Framed-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef USRCONSPEED,Connect-Speed
> AcctColumnDef USRCONSPEED,Connect-Info
> AcctColumnDef MODULATION,Modulation-Type
> AcctColumnDef CSI,Calling-Station-Id
>
>
> </AuthBy>
> # Log accounting to a detail file
> AcctLogFileName ./detail
> </Realm>
>
> Thereby essentially throwing anyone from the first group of modems
> into the
> the domain1.net Realm (and using it's RewriteUsername statement), and
> throwing anyone from the second group into the domain2.net Realm
> (and using
> it's *different* RewriteUsername statement)?
>
> Mike
>
> On Thursday 08 June 2006 09:39, Hugh Irvine wrote:
>> Hello Mike -
>>
>> You would normally use a DefaultRealm in your Client clauses to add
>> the correct Realm to usernames without them, then use different Realm
>> clauses like this:
>>
>>
>> # define Client clauses with DefautRealm
>>
>> <Client 1.1.1.1>
>> ......
>> DefaultRealm domain1.net
>> </Client>
>>
>> .....
>>
>> <Client n.n.n.n>
>> ......
>> DefaultRealm domain1.net
>> </Client>
>>
>> <Client 3.3.3.3>
>> ......
>> DefaultRealm domain2.net
>> </Client>
>>
>> .....
>>
>> <Client m.m.m.m>
>> ......
>> DefaultRealm domain2.net
>> </Client>
>>
>> .....
>>
>> <Realm domain1.net>
>> ......
>> </Realm>
>>
>> <Realm domain2.net>
>> .....
>> </Realm>
>>
>> .......
>>
>>
>> Of course you should always test thoroughly on a test server before
>> changing a production server.
>>
>> hope that helps
>>
>> regards
>>
>> Hugh
>>
>> On 8 Jun 2006, at 07:09, Mike Gomez wrote:
>>> Hi there,
>>>
>>> I've been looking through the radiator reference manual on doing
>>> some
>>> rewriteusername commands, and just wanted to get the list's opinion
>>> on if I'm
>>> going to be implementing this correctly. Here's my current config
>>> file:
>>>
>>> <Client DEFAULT>
>>> IgnoreAcctSignature
>>> Secret xxxxxxxx
>>> DupInterval 0
>>> </Client>
>>> <SessionDatabase SQL>
>>> Identifier InSQL
>>> DBSource dbi:mysql:radius:xxxxxxxx
>>> DBUsername xxxxxx
>>> DBAuth xxxxxx
>>> </SessionDatabase>
>>> <Realm DEFAULT>
>>> RewriteUsername s/^([^@]+)$/$1\@domain1.net/
>>> <AuthBy SQL>
>>> DBSource dbi:mysql:radius:xxxxxxx
>>> DBUsername xxxxxx
>>> DBAuth xxxxxx
>>> AuthSelect select PASSWORD,CHECKATTR,REPLYATTR \
>>> from SUBSCRIBERS \
>>> where USERNAME = '%n'
>>>
>>> #AddToReply Service-Type = Framed-User, \
>>> #Framed-Protocol = PPP
>>> AccountingTable ACCT%Y%m
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer-date
>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-
>>> Time,integer
>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-
>>> Octets,integer
>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-
>>> Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-
>>> Time,integer
>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-
>>> Cause
>>> AcctColumnDef ACCTTERMINATECAUSE,Ascend-
>>> Disconnect-Cause
>>> AcctColumnDef NASPORT_TYPE,NAS-Port-Type
>>> AcctColumnDef NASADDRESS,NAS-IP-Address
>>> AcctColumnDef FRAMEDADDRESS,Framed-IP-Address
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>> AcctColumnDef USRCONSPEED,Connect-Speed
>>> AcctColumnDef USRCONSPEED,Connect-Info
>>> AcctColumnDef MODULATION,Modulation-Type
>>> AcctColumnDef CSI,Calling-Station-Id
>>>
>>>
>>> </AuthBy>
>>> # Log accounting to a detail file
>>> AcctLogFileName ./detail
>>> </Realm>
>>>
>>> As you can see, I've got the RewriteUsername s/^([^@]+)$/$1
>>> \@domain1.net/
>>> under <Realm DEFAULT>. What's happening is I've got a second set
>>> of modem
>>> pools (from a different domain) that I'm going to be switching to
>>> our radius
>>> server here soon. So, I need a different rewrite username statement
>>> (RewriteUsername s/^([^@]+)$/$1\@domain2.net/) to apply to requests
>>> only from
>>> that second group of modem pools. Can I use something like:
>>>
>>> <Client "IP of first modem pool">
>>> IgnoreAcctSignature
>>> Secret xxxxxxxx
>>> IdenticalClients "IP of second modem pool"
>>> IdenticalClients "IP of third modem pool"
>>> RewriteUsername s/^([^@]+)$/$1\@domain2.net/
>>> </Client>
>>>
>>> or would the rewriteusername statement under <Realm DEFAULT>
>>> override that? I
>>> just wanted to get opinions on it before I start messing with a
>>> production
>>> system. ;)
>>>
>>> Thanks!
>>> --
>>> Mike Gomez
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>
> --
> Mike Gomez
> Network Operations Center
> I-Land Internet Services
> 660.829.4638 Ext. 130
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list