Overriding proxy response

Eric eric at ipergy.net
Mon Oct 5 23:06:49 CEST 2009


Hi All,

Answering my own post, I ended up putting some sort of check in 
post_proxy (match for MS-CHAP-Error 648), which then sets the username 
that I need to assign a different IP ranges because the account is set 
on the IAS as 'change password' in a db file. I return from post_proxy 
with HANDLED; This means indeed that the client times out. Durint the 
authorize phase I then check whether this is the username I need to 
allow, delete it from the db_file and rewrite the request to a default 
user with the parameters that I need.

Now just need to figure out how to do the DNS. Worst case I can use a 
split-dns based on the different IP ranges.

Cheers

Eric

Johan Meiring wrote:
> Ivan Kalik wrote:
>>>> And how is user supposed to open that "topup page" if he is looking for
>>>> Google, for instance?
>>> Instead of Google's IPs your DNS servers would return your web server,
>>> with
>>> the "topup page".
>>>
>>> What you want *is* a captive portal - it will
>>>> capture the user and redirect him from the requested page onto the one
>>>> you
>>>> want him to see.
>>>>
>>> I didn't say I agree with the DNS scheme.
>>> I do agree that a captive portal is the best solution.
>>> I was simply mentioning that it is not always possible.
>>
>> It is possible - that's what you are making. DNS scheme is not going to
>> work. All user has to do to defeat that is to change the assigned DNS
>> servers - and he can surf the net. You need a proper captive portal where
>> user can't simply change DNS info and/or assigned IP and escape.
>>
> 
> Our local telco includes a filter for you as well, with the DNS scheme, 
> so the client can only reach your topup server.
> 



More information about the Freeradius-Users mailing list