Using the attrs concept but filtering it on incoming attributes?

Jarrod Sayers jarrod at
Mon Nov 27 12:47:32 CET 2006

I have tried to Google this and and have come up with nothing thus  
far so I am going to throw this one out there to see if anyone can  
shed some light on this unique problem.  I look after a number of  
FreeRADIUS 1.1.3 hosts basically acting as big proxies.  One of the  
destination realms, in this example and NULL,  
returns Tunnel-Private-Group-Id:1 that I trust for our access points,  
but when the request is proxied off to another authenticator, we  
strip that attribute and inject it in the post-proxy phase - all  
standard stuff there.

I have hit a snag that is that while I trust Tunnel-Private-Group-Id: 
1 from those two realms (which are the same realm really), I need  
that attribute stripped off when the requests are coming from other  
clients.  Ideally I need those two top realms in my attrs file to  
only be processed from particular clients, but according to  
attrs.sample you can't add filters to the line containing the realm.

The long and the short of it is that this realm is backed onto a  
Cisco Secure ACS server that uses Network Access Profiles to simply  
not return those attributes when the NAS-Identifier is not set ones I  
know about but it appears not to be applying the profile anymore  
(patch or something, I don't know...) so I would like to shift that  
responsibility to FreeRADIUS.

Below is a conceptual example of what I am trying to achieve:

 >>>	NAS-Identifier == "SOME-AP-123"
         Tunnel-Private-Group-Id:1 =* ANY,
         Fall-Through = Yes

NULL	NAS-Identifier == "SOME-AP-123"
         Tunnel-Private-Group-Id:1 =* ANY,
         Fall-Through = Yes

         Tunnel-Type:1 == VLAN,

The current attrs file:

         Tunnel-Private-Group-Id:1 =* ANY,
         Fall-Through = Yes

         Tunnel-Private-Group-Id:1 =* ANY,
         Fall-Through = Yes

         Tunnel-Type:1 == VLAN,
         Tunnel-Medium-Type:1 == IEEE-802,
         Framed-IP-Address ==,
         Proxy-State =* ANY,
         State =* ANY,
         EAP-Message =* ANY,
         MS-MPPE-Send-Key =* ANY,
         MS-MPPE-Recv-Key =* ANY,
         Reply-Message =* ANY,
         Cisco-AVPair =* ANY,
         Session-Timeout > 0,
         Class =* ANY,
         Message-Authenticator =* ANY

Anyone with a crazy idea that might work?


More information about the Freeradius-Users mailing list