Trying to apply a simple proxy_reply law
Hello freeRADIUS friends! First of all, thank you all for your great labour developing such a great software. I have a doubt and it's very important for us to resolve it ASAP. We've installed freeRADIUS in its Version 1.0.2. Our problem is that we want to apply that rule: ACCESS RADIUS --------> OUR PROXY -------------------> HOME RADIUS <-----------------------------------------------------| (Filter) If an auth packet from a home RADIUS in our proxy it's been sent to the access RADIUS, we want that Session-Timeout attribute has a maximum of 3600 seconds. That's why we want to apply the following algorithm: If Session-Timeout is null, we want to proxy it with a value of a 3600 seconds If Session-Timeout is greater than 3600 we want forward it with 3600 seconds If Session-Timeout is smaller or equals to 3600, we want to respect it I'm sorry if that's trivial, but I've been a long time reading all kind of forums and specs, docs and faqs and I can't find the solution: The problem is: * Users file only seems to work as a filter for incoming request, not outcoming ones * Attr_filter module doesn't allow to write an attribute if and only if that's NULL (not even with '=' operand which hypothetically assigns a value only when it does not exist [in users file]) * Attr_rewrite doesn't seem to work unless you put the new_attribute parameter to yes (is that a bug) and I'm not sure if its possible to use it if attribute is not attached per se Hence my doubt. I will be very pleased if you could help me. Thanks a lot in advance!!!
Hi, how about setting post_proxy_authorize in proxy.conf and then creating rules for changing the attribute in the "users" file? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Yessssss. It Works!!!!! Thanks a lot, Stefan. I've been looking for that for a long time. For all the people who are trying to implement that feature I will summarize it: * If you want to apply rules in your attributes in order to change the reply from a home RADIUS that is sending back through a proxy, that's a solution. In our case, we want to rewrite Session-Timeout attribute only if its value exceeds 3600 or if it is null. So.. - Put the post_proxy_authorize in proxy.conf to 'yes' - Filter original attributes with overcoming values changing the 'attrs' file rules and then uncommenting it (through 'attr_filter' guideline) in post-proxy stage of radiusd.conf. For example, append or update the lines at the end of the file 'attrs' (in the last DEFAULT), the following rules: Session-Timeout <= 3600, That will make RADIUS to remove all the attributes from the replies bigger than these values, so attributes will remain only if their values are like we expected to. - Finally, due to the first action, RADIUS will process for a second time the authorize stage of radiusd.conf. If the word 'files' is uncommented, RADIUS will try to match the rules in 'users' file. As we erased till now all invalid values of the attribute Session-Timeout, it only leasts to rewrite those replies in which that attribute isn't there. That's simple, change the first DEFAULT entry of 'users' file that matches your expectations and add 'Session-Timeout = 3600'. The '=' operand ( http://wiki.freeradius.org/Operators ) means "add the item to the reply list, but only if there is no other item of the same attribute" DEFAULT Auth-Type = System Session-Timeout = 3600, Fall-Through = 1 Thank you all for your help. I hope it will be useful! MARC MIRANDA PIERNAU Departameto de Ingeniería mmiranda@gowex.com GOWEX, THE WIRELESS EXCHANGE www.gowex.es Paseo de la Castellana, 21 Tfno.+34 91 360 14 70 Fax. + 34 91 360 14 71 28046 Madrid -----Mensaje original----- De: freeradius-users-bounces+mmiranda=iber-x.com@lists.freeradius.org [mailto:freeradius-users-bounces+mmiranda=iber-x.com@lists.freeradius.org] En nombre de Stefan Winter Enviado el: viernes, 11 de mayo de 2007 14:38 Para: FreeRadius users mailing list Asunto: Re: Trying to apply a simple proxy_reply law Hi, how about setting post_proxy_authorize in proxy.conf and then creating rules for changing the attribute in the "users" file? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Yessssss. It Works!!!!! Thanks a lot, Stefan. I've been looking for that for a long time. For all the people who are trying to implement that feature I will summarize it: * If you want to apply rules in your attributes in order to change the reply from a home RADIUS that is sending back through a proxy, that's a solution. In our case, we want to rewrite Session-Timeout attribute only if its value exceeds 3600 or if it is null. So.. - Put the post_proxy_authorize in proxy.conf to 'yes' - Filter original attributes with overcoming values changing the 'attrs' file rules and then uncommenting it (through 'attr_filter' guideline) in post-proxy stage of radiusd.conf. For example, append or update the lines at the end of the file 'attrs' (in the last DEFAULT), the following rules: Session-Timeout <= 3600, That will make RADIUS to remove all the attributes from the replies bigger than these values, so attributes will remain only if their values are like we expected to. - Finally, due to the first action, RADIUS will process for a second time the authorize stage of radiusd.conf. If the word 'files' is uncommented, RADIUS will try to match the rules in 'users' file. As we erased till now all invalid values of the attribute Session-Timeout, it only leasts to rewrite those replies in which that attribute isn't there. That's simple, change the first DEFAULT entry of 'users' file that matches your expectations and add 'Session-Timeout = 3600'. The '=' operand ( http://wiki.freeradius.org/Operators ) means "add the item to the reply list, but only if there is no other item of the same attribute" DEFAULT Auth-Type = System Session-Timeout = 3600, Fall-Through = 1 Thank you all for your help. I hope it will be useful! MARC MIRANDA PIERNAU Departameto de Ingeniería mmiranda@gowex.com GOWEX, THE WIRELESS EXCHANGE www.gowex.es Paseo de la Castellana, 21 Tfno.+34 91 360 14 70 Fax. + 34 91 360 14 71 28046 Madrid -----Mensaje original----- De: freeradius-users-bounces+mmiranda=iber-x.com@lists.freeradius.org [mailto:freeradius-users-bounces+mmiranda=iber-x.com@lists.freeradius.org] En nombre de Stefan Winter Enviado el: viernes, 11 de mayo de 2007 14:38 Para: FreeRadius users mailing list Asunto: Re: Trying to apply a simple proxy_reply law Hi, how about setting post_proxy_authorize in proxy.conf and then creating rules for changing the attribute in the "users" file? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
participants (2)
-
Marc Miranda (GOWEX) -
Stefan Winter