How to set User-Profile for roaming (proxied) users

Alan DeKok aland at deployingradius.com
Sat Jul 19 22:04:24 CEST 2014


Jonathan wrote:
> I started with using just the DEFAULT realm, but for some reason,
> Freeradius then decides not to correctly populate the REALM attribute
> anymore and just replaces any "@foobar value" with the "DEFAULT"
> keyword. The regex matchall seems to overcome this limitation

  OK.

> The user we are referring to in the User-Profile, namely "roaming" is
> existing in our SQL database and having specific check attributes.
> I'm just trying roaming users which are not local to our system to
> inherit specific check attributes for authorization.

  Do the SQL qeuries use the User-Profile attribute?  Or the radcheck
table checks for User-Profile?

>>   What do you expect that to do?  All it does is set an attribute.  It
>> doesn't do anything *else* with it.
> 
> I was hoping that it actually would do something :)

  It does.  But please be *helpful* with your questions.  So far, it's
been "I set User-Profile, but it doesn't work".  Well... setting
User-Profile does nothing more than set User-Profile.  If you want
something ELSE to happen, you've got to configure that.

  And it helps to explain WHAT you're trying to do.  It's annoying to
have to drag information out of people.  "Oh, I didn't say... I'm
already using User-Profile for a bunch of other stuff"

  We're not mind readers.  We don't know what you've configured on your
local system until you explain it.

>>   That won't work.  No documentation says you can put an "update"
>> section into a "realm" configuration.
> 
> I found out that myself as well, I did this, because it would make it
> easy to have this:

  I have no idea what that means.  You're assuming that the server works
a particular way (which it doesn't), and then trying to come up with
"solutions" or proposals based on those assumptions.

  Please don't do that.

  The server behaves as documented.  If there's no documentation saying
you can do something, then you can't do it.

> I didn't feel like matching all our local realms, You cannot match on
> Realm=LOCAL as if none is there, value will be NULL, and in case of
> "bar" + "foo" they will be that. Unless there is an easier way of
> differentiating?

  I have no idea what that means.

>> (3) volume limiting isn't in standard RADIUS.  See your NAS
>> documentation for how to configure it.
> 
> I'm very well aware of that, but the RADIUS should not authorize the
> roaming user if he has exceeded his monthly volume profile

  So.... write SQL queries to CHECK the total monthly volume for the
user.  Then, reject the user if the volume is higher than allowed.

  The pieces are all there, and documented.  What is NOT documented is
exactly how to configure FreeRADIUS for your specific system.
Unfortunately, RADIUS is a *lot* more complicated than DNS or DHCP.  So
there is a lot more variation, and RADIUS admins have to do a lot more
thinking than DNS or DHCP admins.

  Alan DeKok.


More information about the Freeradius-Users mailing list