canceling/redirecting realm in pre-proxy ?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Oct 7 16:55:53 CEST 2011 

On 7 Oct 2011, at 15:28, Robert Roll wrote:

> Good thought, but it doesn't seem to do the trick, but thanks..
> 
>> Why don't you just avoid starting the proxy in the first place...
> 
> I want to actually proxy to a remote server, but they might send it back for further authentication..
> I need to detect and handle that, otherwise there would be a loop...

Ditch rlm_realm and use your own condition in authorize.

authorize {
	preprocess

	split_username_nai
	
	if(Stripped-User-Domain != 'my_local_realm' && Huntgroup-Name != 'servers_I_might_proxy_to'){
		update control {
			Proxy-To-Relam := 'my_remote_realm'
		}
	}
	else {
		# Local processing...
	}
}

You can also use %{Proxy-State[#]} to determine whether the request has already been proxied

if("%{Proxy-State[#]}"){
	# This request was received from a proxy server
}

-Arran

> 
> 
> Thanks,
> 
> Robert
> 
> 
> ________________________________________
> From: freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org] On Behalf Of Arran Cudbard-Bell [a.cudbardb at freeradius.org]
> Sent: Thursday, October 06, 2011 12:58 PM
> To: FreeRadius users mailing list
> Subject: Re: canceling/redirecting realm in pre-proxy ?
> 
> On 6 Oct 2011, at 20:19, Robert Roll wrote:
> 
>> There seems to be some comments about being able
>> to "cancel" a proxy in the pre-proxy section..
>> 
>> #  When the server decides to proxy a request to a home server,
>> #  the proxied request is first passed through the pre-proxy
>> #  stage.  This stage can re-write the request, or decide to
>> #  cancel the proxy.
>> 
>> What I really want to do is test some variables (unlang)  and based
>> on the outcome, I want to actually handle the request locally
>> rather than proxy. Maybe this is obvious, but I am not seeing it ?
> 
> 
> update control {
>        Proxy-To-Realm := 'local'
> }
> Why d
> Maybe... I'm not sure if it'll work. Why don't you just avoid starting the proxy in the first place...
> 
> -Arran
> 
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
> 
> Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

Arran Cudbard-Bell
a.cudbardb at networkradius.com

Technical consultant and solutions architect

15 Ave. du Granier, Meylan, France
+33 4 69 66 54 50

More information about the Freeradius-Users mailing list