[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: duplicate usernames across multiple NAS that belong to different users
From: Alan DeKok <aland () deployingradius ! com>
Date: 2021-08-31 22:13:05
Message-ID: AED40CDB-45C8-4C85-B3B3-7AFA3C7CA162 () deployingradius ! com
[Download RAW message or body]
On Aug 31, 2021, at 12:20 PM, Jonathan Davis <jonathan@prioritycolo.com> wrote:
> User1 on NAS1 has the username "user45"
>
> User2 on NAS2 has the same username "user45"
Generally this is done with different RADIUS servers, but FreeRADIUS can do this.
> We're using Yubikeys and SQL for 2FA/MFA, and I've got the Yubikey mappings sorted \
> based in the clients.conf for each NAS
> For SQL I can see multiple ways of doing this.
>
> Add something (e.g NAS shortname) to the supplied username to match unique \
> usernames in SQL
Read sites-available/README. You can use virtual servers to handle this.
Create two virtual servers, let's say "server1" and "server2". Start them off as \
copies of the "default" server, but without the "listen" sections.
You'll also need to edit the client definition, to tell FreeRADIUS to send all \
packets from the client to a particular virtual server:
client nas1 {
...
virtual_server = server1
client nas2 {
...
virtual_server = server2
> Use different SQL dbs for each NAS or Virtual Server (not a fan of this but it is \
> an option)
Use different *tables*. You'll need two copies of the SQL module.
Create mods-enabled/sql1, and mods-enabled/sql2, both as copies of \
mods-available/sql
Then change the names from:
sql {
...
to:
sql sql1 {
...
And also change the RADIUS database used in one (or both) files, from:
radius_db = "radius"
to:
radius_db = "radius1"
You'll have to create the DB and the tables, see \
mods-config/sql/main/mysql/schema.sql for what to do.
Then also edit the virtual servers "server1" and "server2". Where they say "sql", \
change that to "sql1" for server1, and "sql2" for server2. This should be at least \
in the "authorize" section, and the "accounting" section, and "post-auth" if you're \
using SQL there.
There's a few critical changes, but none of them are complex or difficult. You \
just have to know what to do. :)
> Write some custom SQL queries and tables so that usernames are linked to groups via \
> an index instead of usernames, this wouldn't be hard but not don't know if \
> different SQL servers can use different SQL queries (Is it as simple as changing \
> which query.conf to import?).
When you make the above changes, you effectively have 3 virtual servers:
* default - packets from most clients go here
* server1 - packets from NAS1 go here
* server2 - packets from NAS2 go here
And you also have 2 SQL databases, with separate tables for each set of users.
The benefit of this approach is that you end up with pretty standard SQL schema, \
tables, etc. You don't need to mangle the usernames, or edit the queries, or do \
anything special. In fact, the two different SQL modules can continue to use the \
same queries!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic