Deleting VLAN information while proxying
Tomasz Wolniewicz
Tomasz.Wolniewicz at uni.torun.pl
Thu Feb 9 22:33:25 CET 2006
AL.M.Buxey at lboro.ac.uk wrote:
>
> I cant see WHY the VLAN info needs to reach other sites at all...perhaps
> the National Proxy should be stripping out such things? anyway, if memory
>
Alan,
your logic sounds fine but it has two flaws:
1. you should not depend on someone whom you cannot control to do the
work for you.
2. some countries already made decisions that the national proxy MUST
NOT interfere with the stuff sent
in the radius packets. It was argued by some colleagues that for
instance two institutions could have an explicit agreement and honor
each other's VLAN settings.
Actually we did manage do fix that thing using rlm_perl in postauth
section. rlm_perl was hacked a bit so that it would be able to delete
attributes.
I really think that this is a perfectly natural need to be able to
control attributes sent when the request comes from am outside proxy.
The approach based on NAS IP Address is not correct, since NAS addresses
are often from private address space and can repeat in various institutions.
Tomasz
More information about the Freeradius-Users
mailing list