How can I change proxy based on username?
john.horne at plymouth.ac.uk
Tue Mar 26 16:12:59 CET 2013
On Tue, 2013-03-26 at 14:13 +0000, Phil Mayers wrote:
> On 26/03/2013 12:50, John Horne wrote:
> > Hello,
> > Using Freeradius 2.1.10 I have been trying to see if I can proxy a
> > request to a remote server but using a different User-Name attribute
> > based on the original request User-Name attribute.
> You can do this, but it might break things because you're using EAP.
Yes, it seems that just changing the 'User-Name' attribute results in
authentication failures (no doubt due to EAP breaking).
> What is the upstream proxy?
Microsoft domain controller (DC).
> Can you explain why you want to do this? Obviously it's possible to
> manipulate the packet in many ways, but your goal may be best
> accomplished via a different route.
The DC will recognise a users userid (e.g. 'jbloggs') provided it has no
realm. It will also recognise (what I think is the UPN?) which is of the
form 'j.bloggs at plymouth.ac.uk'.
However, we have to cater for a mixed format of
'jbloggs at plymouth.ac.uk', which is currently used by some users and
working. To do this we need to strip off the realm so that the DC will
recognise just the userid part ('jbloggs'). (For completeness, the
format 'j.bloggs' with no realm is not allowed by us and rejected.)
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
More information about the Freeradius-Users