[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: duplicate usernames across multiple NAS that belong to different users
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2021-08-31 22:13:05
Message-ID: AED40CDB-45C8-4C85-B3B3-7AFA3C7CA162 () deployingradius ! com
[Download RAW message or body]

On Aug 31, 2021, at 12:20 PM, Jonathan Davis <jonathan@prioritycolo.com> wrote:
> User1 on NAS1 has the username "user45"
> 
> User2 on NAS2 has the same username "user45"

  Generally this is done with different RADIUS servers, but FreeRADIUS can do this.

> We're using Yubikeys and SQL for 2FA/MFA, and I've got the Yubikey mappings sorted \
> based in the clients.conf for each NAS 
> For SQL I can see multiple ways of doing this.
> 
> Add something (e.g NAS shortname) to the supplied username to match unique \
> usernames in SQL

  Read sites-available/README.  You can use virtual servers to handle this.

  Create two virtual servers, let's say "server1" and "server2".  Start them off as \
copies of the "default" server, but without the "listen" sections.

  You'll also need to edit the client definition, to tell FreeRADIUS to send all \
packets from the client to a particular virtual server:

client nas1 {
	...
	virtual_server = server1


client nas2 {
	...
	virtual_server = server2

> Use different SQL dbs for each NAS or Virtual Server (not a fan of this but it is \
> an option)

  Use different *tables*.  You'll need two copies of the SQL module.

  Create mods-enabled/sql1, and mods-enabled/sql2, both as copies of \
mods-available/sql

  Then change the names from:

	sql {
		...

  to:

	sql sql1 {
		...

  And also change the RADIUS database used in one (or both) files, from:

	radius_db = "radius"

  to:

	radius_db = "radius1"

  You'll have to create the DB and the tables, see \
mods-config/sql/main/mysql/schema.sql for what to do.

  Then also edit the virtual servers "server1" and "server2".  Where they say "sql", \
change that to "sql1" for server1, and "sql2" for server2.  This should be at least \
in the "authorize" section, and the "accounting" section, and "post-auth" if you're \
using SQL there.

  There's a few critical changes, but none of them are complex or difficult.  You \
just have to know what to do.  :)

> Write some custom SQL queries and tables so that usernames are linked to groups via \
> an index instead of usernames, this wouldn't be hard but not don't know if \
> different SQL servers can use different SQL queries (Is it as simple as changing \
> which query.conf to import?).

  When you make the above changes, you effectively have 3 virtual servers:

* default - packets from most clients go here
* server1 - packets from NAS1 go here
* server2 - packets from NAS2 go here

  And you also have 2 SQL databases, with separate tables for each set of users.

  The benefit of this approach is that you end up with pretty standard SQL schema, \
tables, etc.  You don't need to mangle the usernames, or edit the queries, or do \
anything special.  In fact, the two different SQL modules can continue to use the \
same queries!

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]