proxy DEFAULT realm bug-o-feature?
Mike
needacoder at gmail.com
Tue Oct 17 17:18:37 CEST 2006
> > I placed the following into my preproxy_users file:
> >
> > DEFAULT Realm != "NULL"
> > NAS-IP-Address := `%{Realm}`
> >
> > But instead of the expected result, I am observing:
>
> Could you please explain wat the "expected result" is?
>
> Realm is a string. NAS-IP-Address is an IP address. What do you
> expect it to do, and why? Why are you trying to configure it this
> way? What are you trying to do?
Alan, Stefan,
My RADIUS server is a third party POS that relies on NAS-IP-Address to
match up the origin of the RADIUS request with the Realm it belongs
to. This presents an obvious problem when one device needs to be used
from multiple Realms. To further complicate the issue, the
originating device has no way to convey the Realm outside of the
User-Name field. I am using FreeRADIUS as a proxy between the device
that has control over User-Name and RADIUS server that decies what
Realm to use based on NAS-IP-Address. The configuration on the device
allows me to put:
some_user1 at 10.0.0.1
and
some_user1 at 10.0.0.2
FreeRADIUS receives this request, strips off the Realm, and substitues
the Realm (10.0.0.x) into the NAS-IP-Address field. When RADIUS
server receives the request, it is able to properly handle it in the
appropriate Realm by finding the realm with the correct IP address.
The above example has two Realms. In reality I have 40+ and growing.
I can solve it by copying and pasting:
realm 10.0.0.1 { ... }
realm 10.0.0.2 { ... }
...
realm 10.0.0.40 { ... }
40 times and update in the future when I need more. Instead, I tried
to be "smarter" by using the default realm, that way I need to only
have a single realm statement in config and it will work "forever".
When I did this, I find that the suffix module is actually returning
the string DEFAULT instead of actual Realm name, so the real Realm
name is lost and can not be used in the preproxy_user rules (in my
case to put it into the NAS-IP-Address field.)
I hope the explanation above makes sense. Thanks in advance for your
help (and a great RADIUS proxy server: it works (seemingly) flawlessly
as long as DEFAULT is not used.)
More information about the Freeradius-Devel
mailing list