proxied server and right flamed IP to ppp clients
Is there any way to ensure (or check) that the proxied server assigned a right framed IP within a specific range of IPs? unlang perhaps? Main Server proxy to +-> freeradius Server 1 | (must be use ip pool 10.0.0.0/24) +------+ | | | +-> freeradius Server 2 | (must be use ip pool 10.0.1.0/24) | Main server check if the framed IP is within the correct pool, if not reject. Thank you.
On Tue, Sep 18, 2012 at 9:24 PM, lscrlstld <lscrlstld@gmail.com> wrote:
Is there any way to ensure (or check) that the proxied server assigned a right framed IP within a specific range of IPs? unlang perhaps?
Main Server proxy to +-> freeradius Server 1 | (must be use ip pool 10.0.0.0/24) +------+ | | | +-> freeradius Server 2 | (must be use ip pool 10.0.1.0/24) | Main server check if the framed IP is within the correct pool, if not reject.
IMHO a cleaner solution would be for you to assign the IP addresses yourself. Failing that, perhaps some unlang in post-proxy or post-auth might work. -- Fajar
Main server check if the framed IP is within the correct pool, if not reject.
IMHO a cleaner solution would be for you to assign the IP addresses yourself.
Yeap, I think so too. But how to do this if the authentication is done on a remote server?
lscrlstld wrote:
But how to do this if the authentication is done on a remote server?
You just create a local IP pool, and add it to the post-auth section. Make sure you delete the "upstream" Framed-IP-Address in the post-proxy section. The whole *point* of post-auth is to add local configuration such as this. Alan DeKok.
On Tue, Sep 18, 2012 at 9:49 PM, lscrlstld <lscrlstld@gmail.com> wrote:
Main server check if the framed IP is within the correct pool, if not reject.
IMHO a cleaner solution would be for you to assign the IP addresses yourself.
Yeap, I think so too. But how to do this if the authentication is done on a remote server?
Also using unlang in post-proxy/post-auth :) See "man unlang" on how to remove an attribute. As an alternative, see raddb/modules/attr_filter, which basically can filter-out attributes you don't want (in this case, Framed-IP-Address) -- Fajar
participants (3)
-
Alan DeKok -
Fajar A. Nugraha -
lscrlstld