How can I change proxy based on username?

John Horne john.horne at plymouth.ac.uk
Tue Mar 26 13:50:44 CET 2013


Hello,

Using Freeradius 2.1.10 I have been trying to see if I can proxy a
request to a remote server but using a different User-Name attribute
based on the original request User-Name attribute.

For example so that:
Request 'j.bloggs at plymouth.ac.uk' gets proxied to remote server with
User-Name="j.bloggs at plymouth.ac.uk" in the proxy request.
Request 'jbloggs at plymouth.ac.uk' gets proxied to the same remote server
but uses the User-Name="jbloggs" attribute (so no realm) in the proxy
request.

So basically if a username contains a dot, then proxy on the whole thing
(username and realm). But if the username does not contain a dot, then
only proxy on the username, no realm.

I have been trying in the authorize section to use:

=========================
    if (Realm !~ /^(NULL|DEFAULT|LOCAL)$/) {
            if (User-Name =~ /^([^.]+)@/) {
                    update control {
                            Proxy-To-Realm := NULL
                    }
            }
    }
=========================

The NULL realm will 'strip' the username, and proxy the request to the
remote server. However, testing shows that the User-Name being sent is
the original one still with the realm:

=========================
Tue Mar 26 12:31:07 2013 : Debug: ++? if (Realm !~ /^(NULL|DEFAULT|
LOCAL)$/)
Tue Mar 26 12:31:07 2013 : Debug: ? Evaluating (Realm !~ /^(NULL|
DEFAULT|LOCAL)$/) -> TRUE
Tue Mar 26 12:31:07 2013 : Debug: ++? if (Realm !~ /^(NULL|DEFAULT|
LOCAL)$/) -> TRUE
Tue Mar 26 12:31:07 2013 : Debug: ++- entering if (Realm !~ /^(NULL|
DEFAULT|LOCAL)$/) {...}
Tue Mar 26 12:31:07 2013 : Debug: +++? if (User-Name =~ /^([^.]+)@/)
Tue Mar 26 12:31:07 2013 : Debug: ? Evaluating (User-Name
=~ /^([^.]+)@/) -> TRUE
Tue Mar 26 12:31:07 2013 : Debug: +++? if (User-Name =~ /^([^.]+)@/) ->
TRUE
Tue Mar 26 12:31:07 2013 : Debug: +++- entering if (User-Name
=~ /^([^.]+)@/) {...}
Tue Mar 26 12:31:07 2013 : Debug: ++++[control] returns updated
Tue Mar 26 12:31:07 2013 : Debug: +++- if (User-Name =~ /^([^.]+)@/)
returns updated
Tue Mar 26 12:31:07 2013 : Debug: ++- if (Realm !~ /^(NULL|DEFAULT|
LOCAL)$/) returns updated
Tue Mar 26 12:31:07 2013 : Debug: ++[local_mschap] returns noop
Tue Mar 26 12:31:07 2013 : Debug: [eap] Request is supposed to be
proxied to Realm NULL.  Not doing EAP.
Tue Mar 26 12:31:07 2013 : Debug: ++[eap] returns noop
Tue Mar 26 12:31:07 2013 : Debug: ++[files] returns noop
Tue Mar 26 12:31:07 2013 : Debug: ++[expiration] returns noop
Tue Mar 26 12:31:07 2013 : Debug: ++[logintime] returns noop
Tue Mar 26 12:31:07 2013 : Debug: ++[pap] returns noop

...

Tue Mar 26 12:31:07 2013 : Debug: Sending Access-Request packet to host
141.163.1.180 port 1812, id=140, length=191
Tue Mar 26 12:31:07 2013 : Debug:       User-Name =
"jbloggs at plymouth.ac.uk"
Tue Mar 26 12:31:07 2013 : Debug:       NAS-IP-Address = 127.0.0.1
Tue Mar 26 12:31:07 2013 : Debug:       Calling-Station-Id =
"02-00-00-00-00-01" 
Tue Mar 26 12:31:07 2013 : Debug:       Framed-MTU = 1400
Tue Mar 26 12:31:07 2013 : Debug:       NAS-Port-Type = Wireless-802.11
Tue Mar 26 12:31:07 2013 : Debug:       Connect-Info = "CONNECT 11Mbps
802.11b"
Tue Mar 26 12:31:07 2013 : Debug:       EAP-Message =
0x020c00261900170301001b3fb7e62a2e47d33ede49271ebc0c70dc92c4a82ac889c9b1867ddc
Tue Mar 26 12:31:07 2013 : Debug:       State =
0x28af050f0000013700018da3c9b4000000035b2fcad100
Tue Mar 26 12:31:07 2013 : Debug:       Message-Authenticator =
0x00000000000000000000000000000000
Tue Mar 26 12:31:07 2013 : Debug:       Realm = "plymouth.ac.uk"
Tue Mar 26 12:31:07 2013 : Debug:       EAP-Type = PEAP
Tue Mar 26 12:31:07 2013 : Debug:       Proxy-State = 0x3132
=========================

As the output shows 'Request is supposed to be proxied to Realm NULL',
so the authorize bit seems to be working, but the realm is not being
stripped from the username.

The proxy.conf file simply has:

=========================
realm NULL {
        auth_pool = local_proxies
}
=========================

So the realm should be stripped from the username.



Anyone any ideas about this?


Thanks,

John.

-- 
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK      Fax: +44 (0)1752 587001


More information about the Freeradius-Users mailing list