proxy and attribute overrides

Emmanuel Dreyfus manu at netbsd.org
Wed Aug 8 09:56:26 CEST 2007


Hello

Sorry if this is a FAQ, but I have not found the answer, so here I am:

I use freeradius-1.1.6. The server do authorization and authentication 
for a few NAS. Some users have logins in the local realm and others have
logins in proxied realms. 

When a user passes authorization, the server returns a Framed-IP-Address 
to the NAS. The address depends of the NAS and is selected using huntgroups.

I have a problem with users in proxied realms: after proxy authentication
is successful, radiusd sends a packet to the NAS with no Framed-IP-Address,
or with a Framed-IP-Address taken from the proxy RADIUS server.

I want my radius server to choose the Framed-IP-Address and ignore what
proxied servers send. This can be acheived uwing the attr_filter module,
but that module will only allow selection the address based on the realm.
I cannot select through huntgroups, which is what I'm looking for.

The workaround I found is to add post_proxy_authorize = yes in the 
server secion of proxy.conf. That causes the proxied reply to go to
the authorization stage again and to have a correct Framed-IP-Address
added.

That post_proxy_authorize option is documented as depreacted and 
scheduled for future removal. How can I acheive my setup without it? 
I'm pretty confident there is a way of doing it, but I have not been
able to find it.

-- 
Emmanuel Dreyfus
manu at netbsd.org



More information about the Freeradius-Users mailing list