Proxy based on request attribute content, not username realm

Alan DeKok aland at deployingradius.com
Tue Feb 9 17:49:52 CET 2010


Oliver Gorwits wrote:
> I'd welcome some guidance on configuring FreeRADIUS (any version) to
> select a onward proxy server(s) based on a RADIUS request attribute,
> and not the username's realm.

  In 2.1.7 and earlier, create a fake realm (e.g. foo.bar.baz), and fill
out the normal home servers, pools, etc.  Then do:

authorize {
	...
	update control {
		Proxy-To-Realm := "foo.bar.baz"
	}
	...
}

  In 2.1.8, you can skip creating the realm.  Just create home servers,
pools, and do:

	update control {
		Home-Server-Pool := "pool-name"
	}

> The specific situation is that it would be useful to proxy based on
> the wireless SSID to which a user is authenticating. In our Cisco
> system, this information comes in via the Called-Station-Id
> attribute of the request packet.

  See "man unlang" for generic instructions on creating policies.

authorize {
	...
	if (Called-Station-Id =~ /foo/) {
		update control {
			...
		}
	}
	...
}


> We're open to any kind of solution, including setting dummy realms,
> or using the rlm_perl module, but would appreciate any pointers you
> have, and details on the processing order within FreeRADIUS to make
> sure we set things up properly.
> 
> (Yes, it's also possible just to configure different RADIUS servers
> directly on the Cisco system per SSID, but we'd much prefer to have
> one RADIUS configuration there, and proxy onwards from FreeRADIUS.)

  Yup.  That's usually the safest solution, too.

  Alan DeKok.



More information about the Freeradius-Users mailing list