proxy and attribute overrides
Emmanuel Dreyfus
manu at netbsd.org
Wed Aug 8 09:56:26 CEST 2007
Hello
Sorry if this is a FAQ, but I have not found the answer, so here I am:
I use freeradius-1.1.6. The server do authorization and authentication
for a few NAS. Some users have logins in the local realm and others have
logins in proxied realms.
When a user passes authorization, the server returns a Framed-IP-Address
to the NAS. The address depends of the NAS and is selected using huntgroups.
I have a problem with users in proxied realms: after proxy authentication
is successful, radiusd sends a packet to the NAS with no Framed-IP-Address,
or with a Framed-IP-Address taken from the proxy RADIUS server.
I want my radius server to choose the Framed-IP-Address and ignore what
proxied servers send. This can be acheived uwing the attr_filter module,
but that module will only allow selection the address based on the realm.
I cannot select through huntgroups, which is what I'm looking for.
The workaround I found is to add post_proxy_authorize = yes in the
server secion of proxy.conf. That causes the proxied reply to go to
the authorization stage again and to have a correct Framed-IP-Address
added.
That post_proxy_authorize option is documented as depreacted and
scheduled for future removal. How can I acheive my setup without it?
I'm pretty confident there is a way of doing it, but I have not been
able to find it.
--
Emmanuel Dreyfus
manu at netbsd.org
More information about the Freeradius-Users
mailing list