Jonathan wrote:
- I'm running Freeradius 2.2.5 with local users in SQL database - We have roaming users utilizing our network infrastructure, but these users do not exist in our own local database and need to be proxied for authentication/accounting - normal proxying and authentication/accounting is going well.
That's all good.
Setup: Roaming user <-> OUR_INFRA+RADIUS <-> ROAMING_RADIUS
Since it's an international roaming agreement, I have configured a catch-all REALM which do not match our owns to be send their:
realm "~.+$" { pool = ROAMING nostrip }
Hmm... why? The DEFAULT realm exists for precisely this purpose. See raddb/proxy.conf.
I now want to assign a user-profile for these users so that I can pre-authorize them using our own policies.
OK. The User-Profile in FreeRADIUS isn't used for much. Maybe LDAP, IIRC.
For example:
1) roaming is only allowed on weekends and weektime during evenings 2) per user, only 1 roaming session is allowed 3) per user volume limiting based on a user-profile for this roaming agreement (User-Profile := "roaming")
I've tried both methods below to set this in the authorize section as follows:
authorize{ ... sql if (notfound} update control { User-Profile := "roaming" } }
What do you expect that to do? All it does is set an attribute. It doesn't do anything *else* with it.
realm "~.+$" { pool = ROAMING nostrip update control { User-Profile := "roaming" } }
That won't work. No documentation says you can put an "update" section into a "realm" configuration.
but none are working, i've also tried proxy-request and request as update statements.
Why?
How can I assign profiles to roaming users who do not exist in our local database for authentication, but are accounted for locally.
You don't assign "profiles", for one. You can't just set "User-Profile = roaming" and expect tons of things to magically start working. You have to configure each thing individually. Then, put them all together. i.e. if you don't use the "User-Profile" attribute for *local* users, setting it for roaming users won't do anything. So for your list above, you've got to check (1), in the "authorize" section, after the "suffix" module: if (realm == DEFAULT && time is weekend or evening) { reject } See "man unlang" for syntax. See the logintime module for how to check dates and time ranges. (2) Set "Simultaneous-Use = 1" for all the roaming users. (3) volume limiting isn't in standard RADIUS. See your NAS documentation for how to configure it. Alan DeKok.