<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>Thanks Alan.<br><br>I have been researching what you said and have seen from debug that the =<br>code you gave me seems to be accepted by the server when it is =<br>processed. I put the code in the authorize section of the =<br>/etc/freeradius/sites-enabled/default.<br><br>I get:<br><br>Listening on authentication address * port 1812<br>Listening on accounting address * port 1813<br>Listening on proxy address * port 1814<br>Ready to process requests.<br>rad_recv: Access-Request packet from host 10.10.10.10 port 51690, id=3D9, =<br>length=3D43<br> User-Name =3D "noo"<br> User-Password =3D "smartcity123"<br># Executing section authorize from file =<br>/etc/freeradius/sites-enabled/default<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[IPASS] No '/' in User-Name =3D "noo", looking up realm NULL<br>[IPASS] Found realm "DEFAULT"<br>[IPASS] Adding Stripped-User-Name =3D "noo"<br>[IPASS] Adding Realm =3D "DEFAULT"<br>[IPASS] Proxying request from user noo to realm DEFAULT<br>[IPASS] Preparing to proxy authentication request to realm "DEFAULT"<br>++[IPASS] returns updated<br>++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10)<br> expand: %{Packet-Src-IP-Address} -> 10.10.10.10<br>? Evaluating (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE<br>++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE<br>++- entering if (Packet-Src-IP-Address =3D=3D 10.10.10.10) {...}<br>+++[control] returns updated<br>++- if (Packet-Src-IP-Address =3D=3D 10.10.10.10) returns updated<br>[suffix] Request already proxied. Ignoring.<br>++[suffix] returns ok<br> WARNING: Empty pre-proxy section. Using default return values.<br>Sending Access-Request of id 122 to 10.200.0.1 port 1812<br> User-Name =3D "noo"<br> User-Password =3D "test"<br> NAS-IP-Address =3D 10.10.10.10<br> Proxy-State =3D 0x3130<br>Proxying request 0 to home server 10.200.0.1 port 1812<br>Sending Access-Request of id 122 to 10.200.0.1 port 1812<br> User-Name =3D "noo"<br> User-Password =3D "test"<br> NAS-IP-Address =3D 10.10.10.10<br> Proxy-State =3D 0x3130<br>Going to the next request<br><br><br><br><br>So it looks like it evaluates the unlang correctly, but it doesn't =<br>change the home server pool to the intended pool.<br><br><br><br>Is the unlang supposed to be in the authorize section as I suspect? =<br>(NEWPOOL is the pool I want to choose)<br><br>Here is some config (the relevant part anyway)<br><br><br><br>root@FreeRADIUS:/etc/freeradius# cat sites-enabled/default<br>authorize {<br> preprocess<br> IPASS<br> if(Packet-Src-IP-Address =3D=3D 10.10.10.10) {<br> update control {<br> Home-Server-Pool =3D NEWPOOL<br> }<br> }<br> suffix<br>}<br>........................................<br><br><br>root@FreeRADIUS:/etc/freeradius# cat proxy.conf<br>proxy server {<br> default_fallback =3D no<br>}<br>home_server default {<br> type =3D auth+acct<br> ipaddr =3D 10.200.0.1<br> port =3D 1812<br> secret =3D gdsa<br>}<br>home_server primary {<br> type =3D auth+acct<br> ipaddr =3D 10.100.0.1<br> port =3D 1812<br> secret =3D secret<br>}<br><br>home_server_pool DEFAULT {<br> home_server =3D default<br>}<br>home_server_pool NEWPOOL {<br> home_server =3D primary<br>}<br><br>realm DEFAULT {<br> auth_pool =3D DEFAULT<br>}<br><br><br>I am still learning and researching. I just can't find enough =<br>documentation out there which is why I turned to the mailing list. =<br>Thanks for your assistance.<br>On May 18, 2013, at 5:36 AM, Alan DeKok-2 [via FreeRADIUS] <<a href="mailto:ml-node+s1045715n5720262h64@n5.nabble.com">ml-node+s1045715n5720262h64@n5.nabble.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
Jeremiah Peterson wrote:
<br>> I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client.
<br>>
<br>> For example:
<br>>
<br>> If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah")
<br>> If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda")
<br>> If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "xxxxx")
<br><br> Most of this can be done via "unlang". It has if/then/else checks,
<br>just like you wrote above. You can even update the control items to
<br>have "Home-Server-Pool := xxx".
<br><br>> I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication. I want the authentication method to be selected based on the client.
<br><br> You can select the *source* for authentication credentials. You can't
<br>select the authentication *method*. The client selects that. (PAP,
<br>CHAP, etc.)
<br><br>> I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites.
<br><br> It's pretty simple:
<br><br> if ((Packet-Src-IP-Address == 10.10.10.10) && (User-Name == "bob")) {
<br> update control {
<br> Home-Server-Pool := "xxx"
<br> }
<br> }
<br><br><br> You can't edit the reply here, because it's set by the home server.
<br>You'll need to set the reply in post-auth.
<br><br> Alan DeKok.
<br>-
<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_top" rel="nofollow" link="external">http://www.freeradius.org/list/users.html</a><br>
<br>
<br>
<hr noshade="noshade" size="1">
<div style="color:#444; font: 12px tahoma,geneva,helvetica,arial,sans-serif;">
<div style="font-weight:bold">If you reply to this email, your message will be added to the discussion below:</div>
<a href="http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NAS-IP-Address-or-Client-IP-Address-tp5720259p5720262.html">http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NAS-IP-Address-or-Client-IP-Address-tp5720259p5720262.html</a>
</div>
<div style="color:#666; font: 11px tahoma,geneva,helvetica,arial,sans-serif;margin-top:.4em;line-height:1.5em">
To unsubscribe from FreeRADIUS, <a href="http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740692&code=Z2FtZXJqQGdtYWlsLmNvbXwyNzQwNjkyfC0xMjA3NTI4NDQ3">click here</a>.<br>
<a href="http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="nofollow" style="font:9px serif">NAML</a>
</div></blockquote></div><br></body></html>