How to set User-Profile for roaming (proxied) users

Jonathan huffelduffel at gmail.com
Fri Jul 18 08:47:50 CEST 2014 

> > realm "~.+$" {
> >         pool                    = ROAMING
> >         nostrip
> > }
>
>
>   Hmm... why?  The DEFAULT realm exists for precisely this purpose.  See
> raddb/proxy.conf.


I started with using just the DEFAULT realm, but for some reason,
Freeradius then decides not to correctly populate the REALM attribute
anymore and just replaces any "@foobar value" with the "DEFAULT"
keyword. The regex matchall seems to overcome this limitation

>
>   OK.  The User-Profile in FreeRADIUS isn't used for much.  Maybe LDAP,
> IIRC.

The user we are referring to in the User-Profile, namely "roaming" is
existing in our SQL database and having specific check attributes.
I'm just trying roaming users which are not local to our system to
inherit specific check attributes for authorization.

However, i'm not sure how to do this, I've also tried with setting the
SQL-Group, but that isn't supported (setting a virtual attribute is
not supported)

> > authorize{
> > ...
> >  sql
> >  if (notfound}
> >   update control {
> >     User-Profile := "roaming"
> >  }
> > }
>
>   What do you expect that to do?  All it does is set an attribute.  It
> doesn't do anything *else* with it.

I was hoping that it actually would do something :)


>
> > realm "~.+$" {
> >         pool                    = ROAMING
> >         nostrip
> >   update control {
> >     User-Profile := "roaming"
> >  }
> > }
>
>   That won't work.  No documentation says you can put an "update"
> section into a "realm" configuration.

I found out that myself as well, I did this, because it would make it
easy to have this:

realm "bar"
{
}
realm "foo"
{
}
realm "~.+$"
{
# match whatever was not matched before as we know this would be roaming users.
#We have no idea which realm they will have so from now on, we need a
way to know who's roaming and who's not.
update "something"... foobar
}

I didn't feel like matching all our local realms, You cannot match on
Realm=LOCAL as if none is there, value will be NULL, and in case of
"bar" + "foo" they will be that. Unless there is an easier way of
differentiating?



>
> (2) Set "Simultaneous-Use = 1" for all the roaming users.

>
> (3) volume limiting isn't in standard RADIUS.  See your NAS
> documentation for how to configure it.

I'm very well aware of that, but the RADIUS should not authorize the
roaming user if he has exceeded his monthly volume profile

Regards,

Jonathan

More information about the Freeradius-Users mailing list