Inserting and/or replacing reply attributes on a proxy request
Jarrod Sayers
jarrod at netleader.com.au
Mon Oct 16 09:51:07 CEST 2006
An example would be handy :)
Jarrod.
On Mon, 16 Oct 2006, Peter Nixon wrote:
> Yep. I use "attrs.pre-proxy" and "attrs" files to do what they say on the tin.
> (Strip unwanted pairs pre and post proxy) then I add back in the pairs I want
> with rewrite rule and/or module (Module order is important here). For example
> this lets me strip "Framed-IP-Address" and then add one from sqlippool.
>
> Cheers
>
> Peter
>
> On Mon 16 Oct 2006 00:43, Jarrod Sayers wrote:
>> Thanks Peter, any tips on how you have done this? I'll look at
>> upgrading a development box to head today if it means I can resolve
>> this problem.
>>
>> Jarrod.
>>
>> On 16/10/2006, at 12:45 AM, Peter Nixon wrote:
>>> This is trivial to do on CVS head (We are using these features in
>>> production).
>>> 1.1.3 is pretty limited in this regard..
>>>
>>> Cheers
>>>
>>> Peter
>>>
>>> On Sun 15 Oct 2006 15:23, Jarrod Sayers wrote:
>>>> The concept is close, but the effect I need is silently add or
>>>> replace
>>>> these attributes from any proxy reply. While I am slightly concerned
>>>> that a realm neighbor would have the power to alter what tunnel group
>>>> they land in, I am also concerned about proxy replies that come back
>>>> without those variables. Reason being is without those variables,
>>>> that username and realm pair can associate to any SSID where
>>>> FreeRADIUS is used to check their credentials.
>>>>
>>>> Picture Cisco Aironet 1200's with multiple SSID's, all pointing back
>>>> to a single instance of FreeRADIUS. The access point is relying on
>>>> the RADIUS reply to determine if the user should be moved to another
>>>> SSID and without it, assumes the one they are attempting to
>>>> connect to
>>>> is correct.
>>>>
>>>> Jarrod.
>>>>
>>>> On 15/10/2006, at 2:43 PM, Owen DeLong wrote:
>>>>> Seems to me that you need to know which RADIUS box you sent the
>>>>> proxy request
>>>>> to and which destinations it is allowed to return. Then, you should
>>>>> be able to map
>>>>> any responses which don't match those tuples to proxy-reject with an
>>>>> error
>>>>> indicating that the proxy returned nefarious content.
>>>>>
>>>>> Perhaps, however, I simply am not understanding the problem
>>>>> statement.
>>>>>
>>>>> Owen
>>>>>
>>>>> On Oct 14, 2006, at 9:59 PM, Jarrod Sayers wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have a FreeRADIUS 1.1.2 box which its only job in life is to
>>>>>> proxy requests based on realms, i.e., no local authentication is
>>>>>> done. One of the realms is internal to the organisation (lets call
>>>>>> that internal.org.com.au) and I trust the variables being returned,
>>>>>> however I have no control over one external realm (lets call that
>>>>>> some.other.org.net.au) and the default realm. The FreeRADIUS box
>>>>>> is used to proxy wireless requests which relies on the following
>>>>>> variables to dump users into their particular tunnel groups:
>>>>>>
>>>>>> Tunnel-Type:1 => VLAN
>>>>>> Tunnel-Medium-Type:1 => IEEE-802
>>>>>> Tunnel-Private-Group-Id:1 => 1234
>>>>>>
>>>>>> What I am trying to accomplish is to have replies from a certain
>>>>>> realm forced to be returned with set values either adding them in
>>>>>> if they are missing, or replacing them is they are not the same.
>>>>>> So, if the request is proxied to a trusted source then don't alter
>>>>>> the reply, though if its proxied to an external realm, force the
>>>>>> Tunnel-Private-Group-Id:1 attribute to be 1234, yet if its proxied
>>>>>> to the default realm, use 4321 instead.
>>>>>>
>>>>>> I had a go at this using the exec clause and had some success in
>>>>>> adding variables if they didn't exist in the reply, but it wouldn't
>>>>>> replace existing ones:
>>>>>>
>>>>>> modules {
>>>>>> ...
>>>>>>
>>>>>> exec vlan_assignment {
>>>>>> wait = yes
>>>>>> program = ${confdir}/vlan.sh
>>>>>> input_pairs = proxy-request
>>>>>> output_pairs = proxy-reply
>>>>>> packet_type = Access-Accept
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> post-proxy {
>>>>>> vlan_assignment
>>>>>> ...
>>>>>> }
>>>>>>
>>>>>> The associated script that it ran:
>>>>>>
>>>>>> fruitbox# cat vlan.sh
>>>>>> #!/bin/sh
>>>>>>
>>>>>> # Set defaults.
>>>>>> TunnelType="VLAN"
>>>>>> TunnelMediumType="IEEE-802"
>>>>>> TunnelPrivateGroupId="200"
>>>>>>
>>>>>> # Only alter Wireless-802.11 requests.
>>>>>> if [ "${NAS_PORT_TYPE}" = "Wireless-802.11" -a "${REALM}" !=
>>>>>> "internal.org.com.au" ]; then
>>>>>> # Determine VLAN to be used.
>>>>>> if [ "${REALM}" = "some.other.org.net.au" ]; then
>>>>>> # Force user into specific tunnel group.
>>>>>> TunnelPrivateGroupId="1234"
>>>>>> elif [ "${REALM}" = "DEFAULT" ]; then
>>>>>> # Force user into specific tunnel group.
>>>>>> TunnelPrivateGroupId="4321"
>>>>>> fi
>>>>>>
>>>>>> # Return actual VLAN assignment.
>>>>>> echo "Tunnel-Type:1 = ${TunnelType}"
>>>>>> echo "Tunnel-Medium-Type:1 = ${TunnelMediumType}"
>>>>>> echo "Tunnel-Private-Group-Id:1 = \"${TunnelPrivateGroupId}\""
>>>>>> fi
>>>>>>
>>>>>> exit 0
>>>>>> fruitbox#
>>>>>>
>>>>>> Allowing these variables to pass though from untrusted sources may
>>>>>> allow a user to be placed in another organisations tunnel group
>>>>>> which I cannot allow.
>>>>>>
>>>>>> Any help or ideas appreciated :)
>>>>>>
>>>>>> Jarrod.
>>>>>> -List info/subscribe/unsubscribe? See
>>>>>> http://www.freeradius.org/list/users.html
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See
>>>>> http://www.freeradius.org/list/users.html
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>
>>> --
>>>
>>> Peter Nixon
>>> http://www.peternixon.net/
>>> PGP Key: http://www.peternixon.net/public.asc
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
>>> users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> --
>
> Peter Nixon
> http://www.peternixon.net/
> PGP Key: http://www.peternixon.net/public.asc
>
More information about the Freeradius-Users
mailing list