pre-proxy ?

Olivier CALVANO o.calvano at gmail.com
Wed Mar 18 15:24:28 CET 2015


there is no one who needed to change the IP of the NAS to the proxy L2TP?

2015-03-18 13:11 GMT+01:00 Olivier CALVANO <o.calvano at gmail.com>:

> ok, i have added to raddb/sites-available/default :
>
>         if ("%{Packet-Src-IP-Address}" == "192.168.10.100") {
>                 update request {
>                         NAS-IP-Address := "172.17.10.250"
>                 }
>         }
>
>
> but no change ;=)
>
> i receive the request of my suplier:
>
> rad_recv: Access-Request packet from host 192.168.10.100 port 45471,
> id=48, length=175
>         Proxy-State = 0x78d027c7
>         User-Name = "test at customer.myrealm"
>         Acct-Session-Id = "0305322696"
>         CHAP-Password = 0x2begedk88395d0b869e1b950292
>         Calling-Station-Id = "#BSPUT116#DSMIC109,1#105#50"
>         NAS-Port-Type = ADSL-DMT
>         NAS-Port = 1097400370
>         NAS-IP-Address = 193.xx.xx.177
>         Called-Station-Id = "DSL_MAX2"
>         CHAP-Challenge = 0x3c405f155fhjs8kdjf411ee9861627
>         Proxy-State = 0x313532
>
> after i have :
>
> +group pre-proxy {
> ++? if ("%{Packet-Src-IP-Address}" == "192.168.10.100")
>         expand: %{Packet-Src-IP-Address} -> 192.168.10.100
> ? Evaluating ("%{Packet-Src-IP-Address}" == "192.168.10.100") -> TRUE
> ++? if ("%{Packet-Src-IP-Address}" == "192.168.10.100") -> TRUE
> ++if ("%{Packet-Src-IP-Address}" == "192.168.10.100") {
> +++update request {
> +++} # update request = noop
> ++} # if ("%{Packet-Src-IP-Address}" == "192.168.10.100") = noop
> +} # group pre-proxy = noop
>
> and he sent the request to the proxy of my customer:
>
> Sending Access-Request of id 24 to 1x.Xx.Xx.8 port 1812
>         Proxy-State = 0x78d027cc
>         User-Name = "test at customer.myrealm"
>         Acct-Session-Id = "0305322889"
>         CHAP-Password = 0x3c405f155fhjs8kdjf411ee9861627
>         Calling-Station-Id = "#BSPUT116#DSMIC109,1#105#50"
>         NAS-Port-Type = ADSL-DMT
>         NAS-Port = 1097400370
>         NAS-IP-Address = 193.xx.xx.177
>         NAS-Identifier = "BSPUT116"
>         Called-Station-Id = "DSL_MAX2"
>         CHAP-Challenge =0x3c405f155fhjs8kdjf411ee9861627
>         Proxy-State = 0x313537
>         Message-Authenticator := 0x00000000000000000000000000000000
>         Proxy-State = 0x3732
>
>
> he don't have change the NAS-IP-Address
> a error of me ?
>
>
> and if i want add to the "if" the realm:
>
> if (("%{Packet-Src-IP-Address}" == "192.168.10.100") && (Realm =~
> /customer.myrealm/)) {
>
> that's work for username at customer.myrealm and subdomaine ?
> (username at demo.customer.myrealm)
>
>
> regards
> Olivier
>
>
>
> 2015-03-18 11:59 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:
>
>> On 18.03.2015 10:35, Olivier CALVANO wrote:
>>
>>> Thanks for your return.
>>>
>>> not exactly, because the NAS of my suplier can't interact directly with
>>> the
>>> NAS of my customer. this has to go through my Cisco NAS.
>>>
>>> in the file proxy.conf, we can add a pre proxy action ?
>>> pre-proxy and post-proxy are managed in that file?
>>>
>>
>> Pre-proxy section is used to modify request received from RADIUS client
>> (e.g NAS or downstream proxy server) before sending it to home server.
>> Post-proxy section is used to modify response received from home server
>> before sending it back to RADIUS client. Both pre-proxy section and
>> post-proxy section are configured in raddb/sites-available/default.
>>
>>
>>  2015-03-18 7:59 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:
>>>
>>>  If I understand correctly there are supplier NAS, supplier proxy server,
>>>> your proxy server, customer proxy server and customer NAS. Your goal is
>>>> to
>>>> make supplier NAS to establish compulsory tunnel to customer NAS.
>>>>
>>>> CPE========Suplier NAS==================Customer NAS=====Customer net
>>>>                 |                             |
>>>>             Supplier         Your          Customer
>>>>           proxy server----proxy server----home server
>>>>
>>>> Your proxy server should first proxy Access-Request from supplier proxy
>>>> server to customer home server, then wait for customer home server
>>>> response, then add Tunnel-Server-Endpoint attribute to the response and
>>>> proxy the response back to supplier proxy server. This can be done in
>>>> post-proxy section.
>>>>
>>>> When supplier NAS receive Access-Accept with Tunnel-Server-Endpoint it
>>>> will establish compulsory tunnel to customer NAS. Customer NAS will send
>>>> Access-Request to customer home server. There is no apparent reason for
>>>> customer NAS to send Access-Request to your proxy server instead.
>>>>
>>>>
>>>>
>>>> On 18.03.2015 9:10, Olivier CALVANO wrote:
>>>>
>>>>  Hi
>>>>>
>>>>> I am new in Freeradius and i am search a small help.
>>>>>
>>>>>
>>>>> - I receive a Radius Access request of the radius of my supplier.
>>>>> this Radius have the ip address 192.168.10.100
>>>>>
>>>>> - Based on the realm, i forward the request to my customer.
>>>>>
>>>>> i want add in the process a action before sent the request to my
>>>>> customer.
>>>>>
>>>>> Actually i have:
>>>>>
>>>>> in proxy.conf
>>>>>
>>>>> home_server rad-auth-primaire-1.customer_realm.myrealm {
>>>>>           type            = auth
>>>>>           ipaddr          = 172.16.1.1
>>>>>           port            = 1812
>>>>>           secret          = password
>>>>>           require_message_authenticator = yes
>>>>>           response_window = 20
>>>>>           zombie_period   = 40
>>>>>           status_check    = status-server
>>>>>           check_interval  = 20
>>>>>           num_answers_to_alive = 3
>>>>> }
>>>>>
>>>>>
>>>>> home_server_pool pool-auth.customer_realm.myrealm {
>>>>>           type = fail-over
>>>>>           home_server = rad-auth-primaire-1.customer_realm.myrealm
>>>>>           home_server = rad-auth-secondaire-1.customer_realm.myrealm
>>>>> }
>>>>>
>>>>>
>>>>> realm "~(customer_realm.myrealm)" {
>>>>>           auth_pool = pool-auth.customer_realm.myrealm
>>>>>           nostrip
>>>>> }
>>>>>
>>>>>
>>>>> i want add this action:
>>>>>
>>>>> Before sent the access request to my customer, i want that my radius
>>>>> answer
>>>>> to the
>>>>> radius server of my supplier a Access-Accept with a:
>>>>>       Tunnel-Server-Endpoint:0 = "172.17.10.250"
>>>>>
>>>>> With this information, my supplier sent the tunnel to 172.17.10.250,
>>>>> it's
>>>>> a
>>>>> Cisco router, when i receive the tunnel he sent a access request to my
>>>>> radius and i want that my radius forward the request to the radius
>>>>> server
>>>>> of my customer with a :
>>>>>       NAS-IP-Address = 172.17.10.250
>>>>>
>>>>> It's possible ?
>>>>>
>>>>> CPE Customer ==> My_Cisco_172.17.10.250 ==> Cisco of my Customer
>>>>> (replied
>>>>> in radius tunnel end point)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I don't know what file i modify for this, policy.conf ? other ?
>>>>>
>>>>> very very new ;=)
>>>>>
>>>>> thanks for your help
>>>>> Olivier
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>> list/users.html
>>>>>
>>>>>
>>>>>  -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>> list/users.html
>>>
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
>
>


More information about the Freeradius-Users mailing list