Proxying based on SSID

Lai Fu Keung LFK at cc.hku.hk
Wed Jan 24 11:09:18 CET 2007


>You can always put the check for SSID *after* the check for the
>realms.  In that case, the usernames will be stripped, and the SSID
>check can cancel any proxying, just like you do now.

Sorry Alan, I couldn't get you here.
 
Currently, the process (with the problem) is:
 
1. Check the realm, which will set to DEFAULT, as the domain is unknown. The username is NOT stripped in the DEFAULT realm.
 
2. Then check the SSID inside FILE. Set the proxy-to-realm to local realm. The proxy is cancelled. But the username is still NOT stripped.
 
Where should I put the "check for SSID *after* the check for the realms" as you suggest?
 
Lai

 


________________________________

From: freeradius-users-bounces+lfk=cc.hku.hk at lists.freeradius.org on behalf of Alan DeKok
Sent: Wed 1/24/2007 3:18 PM
To: FreeRadius users mailing list
Subject: Re: Proxying based on SSID



Lai Fu Keung wrote:
> Normally, I proxy a PEAP request whenever the realm is unknown to us
> (i.e. using the DEFAULT realm without stripping user name). However, for
> some SSIDs, I want requests to be handled locally with ldap, independent
> of what the realm is (and with the user name stripped). What I did is to
> find those SSIDs in "Called-Station-ID" and
> set proxy-to-realm to a local realm.

  OK...

 > But the problem (I guess) is that when freeradius processes the realm
> file, the user name is not stripped. When later on processed by the
> local realm, the request fails because the user name still contains the
> domain.

  The problem is that the realms file *isn't* being processed.  That's
why the user names aren't stripped.

  You can always put the check for SSID *after* the check for the
realms.  In that case, the usernames will be stripped, and the SSID
check can cancel any proxying, just like you do now.

  Alan DeKok.
--
  http://deployingradius.com <http://deployingradius.com/>        - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 5535 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070124/de58d652/attachment.bin>


More information about the Freeradius-Users mailing list