Trying to apply a simple proxy_reply law

Marc Miranda (GOWEX) mmiranda at iber-x.com
Wed May 16 17:55:07 CEST 2007


Yessssss. It Works!!!!!
Thanks a lot, Stefan. I've been looking for that for a long time.
For all the people who are trying to implement that feature I will summarize
it:

 * If you want to apply rules in your attributes in order to change the
reply from a home RADIUS that is sending back through a proxy, that's a
solution. In our case, we want to rewrite Session-Timeout attribute only if
its value exceeds 3600 or if it is null. So..

     - Put the post_proxy_authorize in proxy.conf to 'yes'
     - Filter original attributes with overcoming values changing the
'attrs' file rules and then uncommenting it (through 'attr_filter'
guideline) in post-proxy stage of radiusd.conf. For example, append or
update the lines at the end of the file 'attrs' (in the last DEFAULT), the
following rules:
 
          Session-Timeout <= 3600,
          
	That will make RADIUS to remove all the attributes from the replies
bigger than these values, so attributes will remain only if their values are
like we expected to.  

     - Finally, due to the first action, RADIUS will process for a second
time the authorize stage of radiusd.conf. If the word 'files' is
uncommented, RADIUS will try to match the rules in 'users' file.

	As we erased till now all invalid values of the attribute
Session-Timeout, it only leasts to rewrite those replies in which that
attribute isn't there. That's simple, change the first DEFAULT entry of
'users' file that matches your expectations and add 'Session-Timeout =
3600'. The '=' operand ( http://wiki.freeradius.org/Operators ) means "add
the item to the reply list, but only if there is no other item of the same
attribute"

	DEFAULT Auth-Type = System
        Session-Timeout = 3600,
        Fall-Through = 1

Thank you all for your help. I hope it will be useful!
 

MARC MIRANDA PIERNAU
Departameto de Ingeniería
mmiranda at gowex.com
GOWEX, THE WIRELESS EXCHANGE
www.gowex.es
Paseo de la Castellana, 21
Tfno.+34 91 360 14 70
Fax. + 34 91 360 14 71
28046 Madrid

 

-----Mensaje original-----
De: freeradius-users-bounces+mmiranda=iber-x.com at lists.freeradius.org
[mailto:freeradius-users-bounces+mmiranda=iber-x.com at lists.freeradius.org]
En nombre de Stefan Winter
Enviado el: viernes, 11 de mayo de 2007 14:38
Para: FreeRadius users mailing list
Asunto: Re: Trying to apply a simple proxy_reply law

Hi,

how about setting post_proxy_authorize in proxy.conf and then creating rules

for changing the attribute in the "users" file?

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473





More information about the Freeradius-Users mailing list