Hi All, Any pointers on how to start hacking the source? What I need to do is look for MS-CHAP-Error 648 (which means the password needs to be changed) and then add a different IP address and filter + DNS server information in order for the end-user to be redirected to a webserver. I can't do all of it in rlm_perl because I need to proxy to a windows IAS. Cheers John Morrissey wrote:
I would like to override failed (rejected, timed out) proxy responses with local authentication data. IOW, if the proxy request fails, I want to process the request locally.
That can't really be done with the current server. You will need to hack the source code to get this done.
It looks like the proxy reply trumps local authorization/authentication, and I can't find a way to override the proxy's response code.
Yes. There is usually ONE source for authentication. Turning a reject into an accept is a *very* unusual practice.
If this was the opposite way (don't proxy for accounts that exist locally), it seems I could remove Proxy-To-Realm to prevent proxying.
Is there a way to do the opposite (perform proxying and override the proxy's response with local auth)?
No. Alan DeKok.
Eric wrote:
What I need to do is look for MS-CHAP-Error 648 (which means the password needs to be changed) and then add a different IP address and filter + DNS server information in order for the end-user to be redirected to a webserver.
Right now, the server can't change a proxied Access-Reject to an Access-Accept. Even if it could, RADIUS doesn't support sending DNS information. What you want is a captive portal. Alan DeKok.
Alan DeKok wrote:
Eric wrote:
What I need to do is look for MS-CHAP-Error 648 (which means the password needs to be changed) and then add a different IP address and filter + DNS server information in order for the end-user to be redirected to a webserver.
Right now, the server can't change a proxied Access-Reject to an Access-Accept. Even if it could, RADIUS doesn't support sending DNS information.
Captive portal is not always possible. E.g. our local telco (Telkom) supports the above scheme for capped accoutings. You may supply DNS servers via Radius attibutes to the NAS. The NAS will then assign your DNS servers to the client in stead of the standard telco DNS servers. You then setup your DNS servers to fake it, and supply your "topup page" IP address for and DNS request. It is a silly scheme, but it is all they support. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
What I need to do is look for MS-CHAP-Error 648 (which means the password needs to be changed) and then add a different IP address and filter + DNS server information in order for the end-user to be redirected to a webserver.
Right now, the server can't change a proxied Access-Reject to an Access-Accept. Even if it could, RADIUS doesn't support sending DNS information.
Captive portal is not always possible.
E.g. our local telco (Telkom) supports the above scheme for capped accoutings. You may supply DNS servers via Radius attibutes to the NAS.
The NAS will then assign your DNS servers to the client in stead of the standard telco DNS servers.
You then setup your DNS servers to fake it, and supply your "topup page" IP address for and DNS request.
It is a silly scheme, but it is all they support.
And how is user supposed to open that "topup page" if he is looking for Google, for instance? What you want *is* a captive portal - it will capture the user and redirect him from the requested page onto the one you want him to see. Ivan Kalik Kalik Informatika ISP
Ivan Kalik wrote:
And how is user supposed to open that "topup page" if he is looking for Google, for instance?
Instead of Google's IPs your DNS servers would return your web server, with the "topup page". What you want *is* a captive portal - it will
capture the user and redirect him from the requested page onto the one you want him to see.
I didn't say I agree with the DNS scheme. I do agree that a captive portal is the best solution. I was simply mentioning that it is not always possible. It struck me when someone else mentioned the same scheme my local telco uses..... -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
And how is user supposed to open that "topup page" if he is looking for Google, for instance?
Instead of Google's IPs your DNS servers would return your web server, with the "topup page".
What you want *is* a captive portal - it will
capture the user and redirect him from the requested page onto the one you want him to see.
I didn't say I agree with the DNS scheme. I do agree that a captive portal is the best solution. I was simply mentioning that it is not always possible.
It is possible - that's what you are making. DNS scheme is not going to work. All user has to do to defeat that is to change the assigned DNS servers - and he can surf the net. You need a proper captive portal where user can't simply change DNS info and/or assigned IP and escape. Ivan Kalik Kalik Informatika ISP
Hello, You are right, that's why I also plan to set a filter on the connection to make sure that those IP's (the portal and the DNS servers) are the only one the customer can reach. My thought when I woke up this morning is to check in rlm_perl whether the response was a 'change password' MS-CHAP-Error value (648), note down the name, then return a HANDLED. I seem to have noticed that freeradius will not send a reply when you return HANDLED. If so, the client will most likely retry the request, at which point you can catch the same username in pre-auth or pre-proxy and redo the request into a default user that goes to the top up page. Does that seem like a work-around or not? Cheers Eric Ivan Kalik wrote:
And how is user supposed to open that "topup page" if he is looking for Google, for instance? Instead of Google's IPs your DNS servers would return your web server, with the "topup page".
What you want *is* a captive portal - it will
capture the user and redirect him from the requested page onto the one you want him to see.
I didn't say I agree with the DNS scheme. I do agree that a captive portal is the best solution. I was simply mentioning that it is not always possible.
It is possible - that's what you are making. DNS scheme is not going to work. All user has to do to defeat that is to change the assigned DNS servers - and he can surf the net. You need a proper captive portal where user can't simply change DNS info and/or assigned IP and escape.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan Kalik wrote:
And how is user supposed to open that "topup page" if he is looking for Google, for instance? Instead of Google's IPs your DNS servers would return your web server, with the "topup page".
What you want *is* a captive portal - it will
capture the user and redirect him from the requested page onto the one you want him to see.
I didn't say I agree with the DNS scheme. I do agree that a captive portal is the best solution. I was simply mentioning that it is not always possible.
It is possible - that's what you are making. DNS scheme is not going to work. All user has to do to defeat that is to change the assigned DNS servers - and he can surf the net. You need a proper captive portal where user can't simply change DNS info and/or assigned IP and escape.
Our local telco includes a filter for you as well, with the DNS scheme, so the client can only reach your topup server. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
Hi All, Answering my own post, I ended up putting some sort of check in post_proxy (match for MS-CHAP-Error 648), which then sets the username that I need to assign a different IP ranges because the account is set on the IAS as 'change password' in a db file. I return from post_proxy with HANDLED; This means indeed that the client times out. Durint the authorize phase I then check whether this is the username I need to allow, delete it from the db_file and rewrite the request to a default user with the parameters that I need. Now just need to figure out how to do the DNS. Worst case I can use a split-dns based on the different IP ranges. Cheers Eric Johan Meiring wrote:
Ivan Kalik wrote:
And how is user supposed to open that "topup page" if he is looking for Google, for instance? Instead of Google's IPs your DNS servers would return your web server, with the "topup page".
What you want *is* a captive portal - it will
capture the user and redirect him from the requested page onto the one you want him to see.
I didn't say I agree with the DNS scheme. I do agree that a captive portal is the best solution. I was simply mentioning that it is not always possible.
It is possible - that's what you are making. DNS scheme is not going to work. All user has to do to defeat that is to change the assigned DNS servers - and he can surf the net. You need a proper captive portal where user can't simply change DNS info and/or assigned IP and escape.
Our local telco includes a filter for you as well, with the DNS scheme, so the client can only reach your topup server.
participants (4)
-
Alan DeKok -
Eric -
Ivan Kalik -
Johan Meiring