Thanks Alan. I have been researching what you said and have seen from debug that the = code you gave me seems to be accepted by the server when it is = processed. I put the code in the authorize section of the = /etc/freeradius/sites-enabled/default. I get: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.10 port 51690, id=3D9, = length=3D43 User-Name =3D "noo" User-Password =3D "smartcity123" # Executing section authorize from file = /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [IPASS] No '/' in User-Name =3D "noo", looking up realm NULL [IPASS] Found realm "DEFAULT" [IPASS] Adding Stripped-User-Name =3D "noo" [IPASS] Adding Realm =3D "DEFAULT" [IPASS] Proxying request from user noo to realm DEFAULT [IPASS] Preparing to proxy authentication request to realm "DEFAULT" ++[IPASS] returns updated ++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10) expand: %{Packet-Src-IP-Address} -> 10.10.10.10 ? Evaluating (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE ++? if (Packet-Src-IP-Address =3D=3D 10.10.10.10) -> TRUE ++- entering if (Packet-Src-IP-Address =3D=3D 10.10.10.10) {...} +++[control] returns updated ++- if (Packet-Src-IP-Address =3D=3D 10.10.10.10) returns updated [suffix] Request already proxied. Ignoring. ++[suffix] returns ok WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 122 to 10.200.0.1 port 1812 User-Name =3D "noo" User-Password =3D "test" NAS-IP-Address =3D 10.10.10.10 Proxy-State =3D 0x3130 Proxying request 0 to home server 10.200.0.1 port 1812 Sending Access-Request of id 122 to 10.200.0.1 port 1812 User-Name =3D "noo" User-Password =3D "test" NAS-IP-Address =3D 10.10.10.10 Proxy-State =3D 0x3130 Going to the next request So it looks like it evaluates the unlang correctly, but it doesn't = change the home server pool to the intended pool. Is the unlang supposed to be in the authorize section as I suspect? = (NEWPOOL is the pool I want to choose) Here is some config (the relevant part anyway) root@FreeRADIUS:/etc/freeradius# cat sites-enabled/default authorize { preprocess IPASS if(Packet-Src-IP-Address =3D=3D 10.10.10.10) { update control { Home-Server-Pool =3D NEWPOOL } } suffix } ........................................ root@FreeRADIUS:/etc/freeradius# cat proxy.conf proxy server { default_fallback =3D no } home_server default { type =3D auth+acct ipaddr =3D 10.200.0.1 port =3D 1812 secret =3D gdsa } home_server primary { type =3D auth+acct ipaddr =3D 10.100.0.1 port =3D 1812 secret =3D secret } home_server_pool DEFAULT { home_server =3D default } home_server_pool NEWPOOL { home_server =3D primary } realm DEFAULT { auth_pool =3D DEFAULT } I am still learning and researching. I just can't find enough = documentation out there which is why I turned to the mailing list. = Thanks for your assistance. On May 18, 2013, at 5:36 AM, Alan DeKok-2 [via FreeRADIUS] <ml-node+s1045715n5720262h64@n5.nabble.com> wrote:
Jeremiah Peterson wrote:
I see that it is possible to create realms and have each realm use a different proxy, but what I am more interested in is having the authentication method be selected based on client.
For example:
If the request comes from IP 10.10.10.10 and user bob then use home_server_pool xxx (and return attribute "blah blah blah") If the request comes from IP 10.20.20.20 and user bob then use home_server_pool yyy (and return attribute "yadda yadda yadda") If the request comes from IP 10.30.30.30 and user bob then use home_server_pool zzz (and return results from SQL query "xxxxx")
Most of this can be done via "unlang". It has if/then/else checks, just like you wrote above. You can even update the control items to have "Home-Server-Pool := xxx".
I can see how this is done when making the user enter a realm name or prefix or suffix to the username, but I don't want to do that for every authentication. I want the authentication method to be selected based on the client.
You can select the *source* for authentication credentials. You can't select the authentication *method*. The client selects that. (PAP, CHAP, etc.)
I have been searching for details on all the configuration files but I am not finding anything very conclusive or explanatory on how to build custom sites.
It's pretty simple:
if ((Packet-Src-IP-Address == 10.10.10.10) && (User-Name == "bob")) { update control { Home-Server-Pool := "xxx" } }
You can't edit the reply here, because it's set by the home server. You'll need to set the reply in post-auth.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Selecting-authentication-based-on-NA... To unsubscribe from FreeRADIUS, click here. NAML