pre-proxy ?

Olivier CALVANO o.calvano at gmail.com
Wed Mar 18 13:11:46 CET 2015 

ok, i have added to raddb/sites-available/default :

        if ("%{Packet-Src-IP-Address}" == "192.168.10.100") {
                update request {
                        NAS-IP-Address := "172.17.10.250"
                }
        }


but no change ;=)

i receive the request of my suplier:

rad_recv: Access-Request packet from host 192.168.10.100 port 45471, id=48,
length=175
        Proxy-State = 0x78d027c7
        User-Name = "test at customer.myrealm"
        Acct-Session-Id = "0305322696"
        CHAP-Password = 0x2begedk88395d0b869e1b950292
        Calling-Station-Id = "#BSPUT116#DSMIC109,1#105#50"
        NAS-Port-Type = ADSL-DMT
        NAS-Port = 1097400370
        NAS-IP-Address = 193.xx.xx.177
        Called-Station-Id = "DSL_MAX2"
        CHAP-Challenge = 0x3c405f155fhjs8kdjf411ee9861627
        Proxy-State = 0x313532

after i have :

+group pre-proxy {
++? if ("%{Packet-Src-IP-Address}" == "192.168.10.100")
        expand: %{Packet-Src-IP-Address} -> 192.168.10.100
? Evaluating ("%{Packet-Src-IP-Address}" == "192.168.10.100") -> TRUE
++? if ("%{Packet-Src-IP-Address}" == "192.168.10.100") -> TRUE
++if ("%{Packet-Src-IP-Address}" == "192.168.10.100") {
+++update request {
+++} # update request = noop
++} # if ("%{Packet-Src-IP-Address}" == "192.168.10.100") = noop
+} # group pre-proxy = noop

and he sent the request to the proxy of my customer:

Sending Access-Request of id 24 to 1x.Xx.Xx.8 port 1812
        Proxy-State = 0x78d027cc
        User-Name = "test at customer.myrealm"
        Acct-Session-Id = "0305322889"
        CHAP-Password = 0x3c405f155fhjs8kdjf411ee9861627
        Calling-Station-Id = "#BSPUT116#DSMIC109,1#105#50"
        NAS-Port-Type = ADSL-DMT
        NAS-Port = 1097400370
        NAS-IP-Address = 193.xx.xx.177
        NAS-Identifier = "BSPUT116"
        Called-Station-Id = "DSL_MAX2"
        CHAP-Challenge =0x3c405f155fhjs8kdjf411ee9861627
        Proxy-State = 0x313537
        Message-Authenticator := 0x00000000000000000000000000000000
        Proxy-State = 0x3732


he don't have change the NAS-IP-Address
a error of me ?


and if i want add to the "if" the realm:

if (("%{Packet-Src-IP-Address}" == "192.168.10.100") && (Realm =~
/customer.myrealm/)) {

that's work for username at customer.myrealm and subdomaine ?
(username at demo.customer.myrealm)


regards
Olivier



2015-03-18 11:59 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:

> On 18.03.2015 10:35, Olivier CALVANO wrote:
>
>> Thanks for your return.
>>
>> not exactly, because the NAS of my suplier can't interact directly with
>> the
>> NAS of my customer. this has to go through my Cisco NAS.
>>
>> in the file proxy.conf, we can add a pre proxy action ?
>> pre-proxy and post-proxy are managed in that file?
>>
>
> Pre-proxy section is used to modify request received from RADIUS client
> (e.g NAS or downstream proxy server) before sending it to home server.
> Post-proxy section is used to modify response received from home server
> before sending it back to RADIUS client. Both pre-proxy section and
> post-proxy section are configured in raddb/sites-available/default.
>
>
>  2015-03-18 7:59 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:
>>
>>  If I understand correctly there are supplier NAS, supplier proxy server,
>>> your proxy server, customer proxy server and customer NAS. Your goal is
>>> to
>>> make supplier NAS to establish compulsory tunnel to customer NAS.
>>>
>>> CPE========Suplier NAS==================Customer NAS=====Customer net
>>>                 |                             |
>>>             Supplier         Your          Customer
>>>           proxy server----proxy server----home server
>>>
>>> Your proxy server should first proxy Access-Request from supplier proxy
>>> server to customer home server, then wait for customer home server
>>> response, then add Tunnel-Server-Endpoint attribute to the response and
>>> proxy the response back to supplier proxy server. This can be done in
>>> post-proxy section.
>>>
>>> When supplier NAS receive Access-Accept with Tunnel-Server-Endpoint it
>>> will establish compulsory tunnel to customer NAS. Customer NAS will send
>>> Access-Request to customer home server. There is no apparent reason for
>>> customer NAS to send Access-Request to your proxy server instead.
>>>
>>>
>>>
>>> On 18.03.2015 9:10, Olivier CALVANO wrote:
>>>
>>>  Hi
>>>>
>>>> I am new in Freeradius and i am search a small help.
>>>>
>>>>
>>>> - I receive a Radius Access request of the radius of my supplier.
>>>> this Radius have the ip address 192.168.10.100
>>>>
>>>> - Based on the realm, i forward the request to my customer.
>>>>
>>>> i want add in the process a action before sent the request to my
>>>> customer.
>>>>
>>>> Actually i have:
>>>>
>>>> in proxy.conf
>>>>
>>>> home_server rad-auth-primaire-1.customer_realm.myrealm {
>>>>           type            = auth
>>>>           ipaddr          = 172.16.1.1
>>>>           port            = 1812
>>>>           secret          = password
>>>>           require_message_authenticator = yes
>>>>           response_window = 20
>>>>           zombie_period   = 40
>>>>           status_check    = status-server
>>>>           check_interval  = 20
>>>>           num_answers_to_alive = 3
>>>> }
>>>>
>>>>
>>>> home_server_pool pool-auth.customer_realm.myrealm {
>>>>           type = fail-over
>>>>           home_server = rad-auth-primaire-1.customer_realm.myrealm
>>>>           home_server = rad-auth-secondaire-1.customer_realm.myrealm
>>>> }
>>>>
>>>>
>>>> realm "~(customer_realm.myrealm)" {
>>>>           auth_pool = pool-auth.customer_realm.myrealm
>>>>           nostrip
>>>> }
>>>>
>>>>
>>>> i want add this action:
>>>>
>>>> Before sent the access request to my customer, i want that my radius
>>>> answer
>>>> to the
>>>> radius server of my supplier a Access-Accept with a:
>>>>       Tunnel-Server-Endpoint:0 = "172.17.10.250"
>>>>
>>>> With this information, my supplier sent the tunnel to 172.17.10.250,
>>>> it's
>>>> a
>>>> Cisco router, when i receive the tunnel he sent a access request to my
>>>> radius and i want that my radius forward the request to the radius
>>>> server
>>>> of my customer with a :
>>>>       NAS-IP-Address = 172.17.10.250
>>>>
>>>> It's possible ?
>>>>
>>>> CPE Customer ==> My_Cisco_172.17.10.250 ==> Cisco of my Customer
>>>> (replied
>>>> in radius tunnel end point)
>>>>
>>>>
>>>>
>>>>
>>>> I don't know what file i modify for this, policy.conf ? other ?
>>>>
>>>> very very new ;=)
>>>>
>>>> thanks for your help
>>>> Olivier
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>>>
>>>>  -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>> list/users.html
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list