Deleting VLAN information while proxying
Tomasz Wolniewicz
Tomasz.Wolniewicz at uni.torun.pl
Tue Feb 7 20:40:12 CET 2006
Alan DeKok wrote:
> Can you not key off of the NAS information, and *not* add VLAN data,
> then?
>
>
I am not sure what you mean by that. Using NAS information is the only
thing that came to our minds, that is we create a large hunt group
containing all local NASes and add VLAN data only when this is hit. But
we did not manage to make any comparison of NAS-IP-Address other then
equality. If one could use regex then it would be easy, but somehow this
did not seem to work.
Obviously one could use another dirty hack - add another proxy server
and do all cleaning there, but it seems that there should be a clean and
simple way of doing what we need.
Actually one might argue that it is the network provider that should be
careful to filter out all foreign VLAN attributes on input as this can
be a security hazard not to do so, and this task is easily done with
attr_filter. Unfortunately if a user gets to a site that does not filter
VLAN attributes on input, in most cases the VLAN will not match anything
useful and the user will not get connected, so it makes a lot of sense
to block the VLANs also on the output as a good service to our users
(not to mention the fact that telling people our VLAN numbers is
probably not very wise either).
Tomasz
More information about the Freeradius-Users
mailing list