bug or feature? attr_rewrite rule in post-proxy cannot create config items

Bastiaan Bakker bastiaan.bakker at lifeline.nl
Wed Dec 21 15:25:19 CET 2005 

Hi,

We have a freeradius 'frontend' server that proxies requests to several
legacy radius servers. The frontend server is responsible for IP pool
management, but the backend radius server should be able to determine on
a per user basis from which IP pool the frontend server should allocate
IP addresses. The backend servers return the name of the desired pool in
the reply attribute Framed-Pool. On the frontend server I've added a
rewrite rule to the post-proxy section in order to copy the Framed-Pool
value to the Pool-Name attribute used by rlm_ippool:

modules {
...
        attr_rewrite framedpool2poolname {
                attribute = Pool-Name
                searchin = config
                new_attribute=yes
                searchfor=""
                replacewith="%{proxy-reply:Framed-Pool}"
                append=no
        }
}

post-proxy {
	framedpool2poolname
...
}

If I run freeradius in debuging mode 'radiusd -X -y', it says it sets
the Framed-Pool attribute:
rlm_attr_rewrite: Added attribute Pool-Name with value 'eln1'
  modcall[post-proxy]: module "framedpool2poolname" returns ok for
request 0

However the 'eln1' IP pool module fails to find the Pool-Name config
item and consequently does not assign an address.

Do I misunderstand how the attr_rewrite module is supposed to work or is
this a bug? I'm using freeradius-1.0.1-3.RHEL4 on CentOS 4.2. 

BTW, I did manage to get freeradius to do what I wanted but the
'solution' looks very much like an ugly kludge: I changed the
framedpool2poolname module to add a Pool-Name attribute as reply item
instead of config item and copy the reply item to the config item in
post-auth:

modules {
...
        attr_rewrite poolname2poolname {
                attribute = Pool-Name
                searchin = config
                new_attribute=yes
                searchfor=""
                replacewith="%{reply:Pool-Name}"
                append=no
        }

        attr_rewrite framedpool2poolname {
                attribute = Pool-Name
                searchin = reply
                new_attribute=yes
                searchfor=""
                replacewith="%{proxy-reply:Framed-Pool}"
                append=no
        }
}

post-auth {
	poolname2poolname
...
}


The reason why I can't directly copy Framed-Pool to Pool-Name in
post-auth is that I don't want to send the Framed-Pool attribute to the
client and the last place where I can filter it out AFAIK is in an
attr_filter in post-proxy.

Any help in simplifying this setup or confirmation that the current
behaviour is indeed a bug would be appreciated very much.

Best regards,

Bastiaan Bakker
E.Novation Lifeline Networks bv

More information about the Freeradius-Users mailing list