Big "VSA + Proxy" problem
Guilherme Franco
guilhermefranco at gmail.com
Fri Jun 8 05:20:07 CEST 2007
Hello,
Running Freeradius 1.1.4 on RHEL with an Oracle backend.
I'm at a Carrier and every "@bar.com" request is configured to be
proxied but I have a problem where a VSA (in radreply table) is not
even sent to bar.com.
In my database:
select * from radcheck;
ID USERNAME ATTRIBUTE OP VALUE
--- ------------------ --------------------- ----
-----------
1 foo at bar.com User-Password := temp123
select * from radreply;
ID USERNAME ATTRIBUTE OP VALUE
--- ------------------ ---------------------------- ----
-----------
1 foo at bar.com ERX-Service-Bundle := test1
ID USERNAME ATTRIBUTE OP VALUE
--- ------------------ ---------------------------- ----
------------------------
2 foo at bar.com Framed-IP-Address := 192.168.254.199
Disabling the proxying for this realm works correctly (freeradius
auths the user locally and sends the VSA to the router).
With proxy configured, the user gets authenticated by bar.com but the
VSA is not sent to bar.com (no traces of it in pre_proxy logs nor in
radiusd -X debugs).
I've already added ERX-Service-Bundle =* ANY in both attrs and
attrs.pre-proxy and enabled the filters in radiusd.conf, but still no
luck.
Question: if that issue gets fixed and the VSA goes to bar.com, is
there any way to bar.com return that same VSA untouched (considering
that bar.com doesn't knows a thing about that VSA, i.e: it doesn't has
any VSA info on it's database)? In fact, I don't need to send that VSA
to bar.com, I just need to send it directly to my router(just like in
the unproxied realm) but the proxy feature doesn't allow that.
Please consider that I can't simply add "ERX-Service-Bundle := test1"
in attrs (like I do with DNS VSAs) because the value of that VSA is
chained with the user in radreply and each user has it's own different
value (test2, test5, etc.).
I'm very worried. Can anyone please shed some light on this?
Thank you very much!
More information about the Freeradius-Users
mailing list