Proxy reply and setting attribute in users file

Sandworm sandworm at mepd.hush.com
Wed Feb 8 02:05:51 CET 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all

In the 'users' file, I have the following lines:

DEFAULT Huntgroup-Name == "Security-Devices", LDAP-Group ==
"group1", Proxy-To-Realm := 'innerradius'
        Class:="OU=vpngroupa;",
        Fall-Through = No

DEFAULT Huntgroup-Name == "Security-Devices", LDAP-Group ==
"group2", Proxy-To-Realm := 'innerradius'
        Class:="OU=vpngroupb;",
        Fall-Through = No

(The Inner Radius server provides the authentication - one time
password). The problem is that setting the Class attribute does not
happen. Presumably, this is because of the setting
"post_proxy_authorize = no" in the file proxy.conf. When
post_proxy_authorize is set to "Yes", the Class attribute does get
set, but then the 'users' file is traversed twice, which is
obviously an overhead, considering that the 'users' file has many
other unrelated entries, not just the ones shown here. Also,
setting "post_proxy_authorize = yes" is just there for "backwards
compatibility", as per the comments in the proxy.conf file, and is
not the preferred setting, I presume, in the future.

My question then is, how do I set the Class attribute for the
various different cases, two examples of which are shown above, if
not as I have shown above?

Would that be via the post_proxy section? If so, could anyone give
me an example of how this could be done?

FYR, this is being run on FreeRadius 1.0.1 on Redhat Enterprise
Linux 3.

Thanks
SW
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkPpQ+oACgkQmw4BJyaatJ18GACfYQOFEn8SBhZ4IQYyQYbBBMKD3/4A
n23uYwysIQqPu1oWrrp500gbHJ1/
=Svg+
-----END PGP SIGNATURE-----





More information about the Freeradius-Users mailing list