Proxy Radius - Deny user based on username preproxy

Alan DeKok aland at deployingradius.com
Fri Dec 30 20:36:37 CET 2011


Nathan M wrote:
> I operate a proxy radius server which proxies requests downstream.  A
> few particular usernames are repeating far more frequently than they
> should and I have no way to eliminate this upstream.  I do need to
> authenticate the users though and not deny them.  The goal would be to
> authenticate them at the proxy level so it does not send the request
> downstream at all.
> 
> Ideally an entry something to the tune of:
> userx      Cleartext-Password := "xxx"
>        Session-Timeout = 604800,
>        Idle-Timeout = 604800,
>        Acct-Interim-Interval = 4084,
>        Fall-Through = No

  That should work.

> I've reviewed and done dozens of attempts using the preproxy_users,
> and users file (by trying with files above and below the suffix line
> in authorize{}); however, none of my attempts have been successful.

  See the FAQ for "it doesn't work".

> The lines match when viewing debug; however, by entering anything
> other than Auth-Type := Reject within the users file, the
> authentication proceeds on it's merry way to the proxy process
> downstream.
> 
> Any advice on a config which will accomplish this?

  Read the debug output.  It will tell you why it's being proxied.

  Alan DeKok.



More information about the Freeradius-Users mailing list