Using the attrs concept but filtering it on incoming attributes?
Jarrod Sayers
jarrod at netleader.com.au
Mon Nov 27 12:47:32 CET 2006
I have tried to Google this and and have come up with nothing thus
far so I am going to throw this one out there to see if anyone can
shed some light on this unique problem. I look after a number of
FreeRADIUS 1.1.3 hosts basically acting as big proxies. One of the
destination realms, in this example some.fake.realm.com.au and NULL,
returns Tunnel-Private-Group-Id:1 that I trust for our access points,
but when the request is proxied off to another authenticator, we
strip that attribute and inject it in the post-proxy phase - all
standard stuff there.
I have hit a snag that is that while I trust Tunnel-Private-Group-Id:
1 from those two realms (which are the same realm really), I need
that attribute stripped off when the requests are coming from other
clients. Ideally I need those two top realms in my attrs file to
only be processed from particular clients, but according to
attrs.sample you can't add filters to the line containing the realm.
The long and the short of it is that this realm is backed onto a
Cisco Secure ACS server that uses Network Access Profiles to simply
not return those attributes when the NAS-Identifier is not set ones I
know about but it appears not to be applying the profile anymore
(patch or something, I don't know...) so I would like to shift that
responsibility to FreeRADIUS.
Below is a conceptual example of what I am trying to achieve:
>>>
some.fake.realm.com.au NAS-Identifier == "SOME-AP-123"
Tunnel-Private-Group-Id:1 =* ANY,
Fall-Through = Yes
NULL NAS-Identifier == "SOME-AP-123"
Tunnel-Private-Group-Id:1 =* ANY,
Fall-Through = Yes
DEFAULT
Tunnel-Type:1 == VLAN,
...
<<<
The current attrs file:
>>>
some.fake.realm.com.au
Tunnel-Private-Group-Id:1 =* ANY,
Fall-Through = Yes
NULL
Tunnel-Private-Group-Id:1 =* ANY,
Fall-Through = Yes
DEFAULT
Tunnel-Type:1 == VLAN,
Tunnel-Medium-Type:1 == IEEE-802,
Framed-IP-Address == 255.255.255.255,
Proxy-State =* ANY,
State =* ANY,
EAP-Message =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-MPPE-Recv-Key =* ANY,
Reply-Message =* ANY,
Cisco-AVPair =* ANY,
Session-Timeout > 0,
Class =* ANY,
Message-Authenticator =* ANY
<<<
Anyone with a crazy idea that might work?
Jarrod.
More information about the Freeradius-Users
mailing list