Freeradius-Proxied-To, radrelay and 2.0

Milan Holub holub at thenet.ch
Fri May 25 14:58:30 CEST 2007 

Hi Alan&others,

On Mon, May 21, 2007 at 04:57:51PM +0200, Alan Dekok wrote:
> Milan Holub wrote:
> > I wonder whether there is any use for Freeradius-Proxied-To attribute
> > with freeradius 2.0.
> 
>   It should be there for backwards compatibility, but there are likely
> better ways of achieving the same result.
> 
> > Now when I'm relaying some accounting packets to my freeradius server
> > using radrelay binary from 1.1.6 and there is a packet which has
> > already "Freeradius-Proxied-To" attribute set then freeradius 2.0(cvs head)
> > just ignores it and tries to proxy the packet to remote home server.
> 
>   See src/modules/rlm_realm/rlm_realm.c  That code needs to be fixed.
> 
> > Would it be possible that 2.0 also honors the Freeradius-Proxied-To
> > attribute as in 1.X?
> 
>   That *is* the idea.
> 

==> my humble attempt to add the backwards compatibility for
Freeradius-Proxied-To attribute:

Index: src/modules/rlm_realm/rlm_realm.c
===================================================================
RCS file: /source/radiusd/src/modules/rlm_realm/rlm_realm.c,v
retrieving revision 1.66
diff -u -r1.66 rlm_realm.c
--- src/modules/rlm_realm/rlm_realm.c   20 Apr 2007 14:31:30 -0000      1.66
+++ src/modules/rlm_realm/rlm_realm.c   25 May 2007 12:48:08 -0000
@@ -64,6 +64,7 @@
        char *ptr;
        VALUE_PAIR *vp;
        REALM *realm;
+       lrad_ipaddr_t my_ipaddr;

         struct realm_config_t *inst = instance;

@@ -241,12 +242,18 @@
         */
        vp = pairfind(request->packet->vps, PW_FREERADIUS_PROXIED_TO);
        if (vp) {
-#if 0
                /*
                 *      FIXME: HOME SERVER
                 *
                 *      What the heck is this code doing, and why?
                 */
+               my_ipaddr.af = AF_INET;
+               my_ipaddr.ipaddr.ip4addr = vp->data.ipaddr;
+               if (home_server_find(&my_ipaddr, request->packet->dst_port)) {
+                       DEBUG2("    rlm_realm: Request not proxied due to Freeradius-Proxied-To");
+                       return 0;
+               }
+#if 0

                if (request->packet->code == PW_AUTHENTICATION_REQUEST &&
                    vp->vp_ipaddr == realm->home_auth->ipaddr.ipaddr.ip4addr.s_addr) {


==> I works for me well(incomming accounting/authorization packet containing
Freeradius-Proxied-To is no more sent to IP present as a value of the
attribute); this might not work for home servers which listen on
non-standard ports(due to dst_port passed in to home_server_find
function)

==> the patch might be useful for setups where you have some home_servers
already FR 2.0 but but some of them still FR 1.X

==> could you comment, Alan?


Milan Holub
holub (at) thenet (dot) ch

--------------------------------------
 TheNet-Internet Services AG,
 im Bernertechnopark, Morgenstr. 129
 CH-3018, Bern, Switzerland
 031 998 4333, Fax 031 998 4330
 http://www.thenet.ch
 http://wlan.thenet.ch
--------------------------------------

More information about the Freeradius-Users mailing list