Proxying VMPS requests

Phil Mayers p.mayers at imperial.ac.uk
Wed Feb 6 16:56:52 CET 2008 

I'm looking at using FreeRadius 2.0.1 to merge out old VMPS switches 
into the radius-based (SQL-backed) MAC auth.

For various reasons, the easiest thing for me would be to proxy the VMPS 
requests as PAP to our existing mac auth servers.

The comments in raddb/sites-available/vmps imply that the packets can be 
proxied, but I'm not seeing that:

# VMPS server
server vmps {
         listen {
                 # FIXME: should be .202 for production
                 ipaddr = 192.168.x.y
                 port = 1589
                 type = vmps
         }

         #  And the REAL contents.  This section is just like the
         #  "post-auth" section of radiusd.conf.  In fact, it calls the
         #  "post-auth" component of the modules that are listed here.
         #  But it's called "vmps" to highlight that it's for VMPS.
         vmps {
                 # we cheat, and proxy to the MACAUTH radius servers
                 update control {
                         Proxy-To-Realm := "MACAUTH"
                 }
         }

         post-proxy {
                 # FIXME: log to sql_log actually
                 detail
         }
}


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on vmps address 155.198.63.122 port 1589 as server vmps
Ready to process requests.
         VMPS-Packet-Type = VMPS-Join-Request
         VMPS-Error-Code = VMPS-No-Error
         VMPS-Sequence-Number = 234881024
         VMPS-Client-IP-Address = 155.198.51.130
         VMPS-Port-Name = "4 "
         VMPS-VLAN-Name = "--NONE--"
         VMPS-Domain-Name = "HOR-PG"
         VMPS-Unknown = 0x00
         VMPS-MAC = 00:1b:24:a1:cf:2e
server vmps {
Doing VMPS
Done VMPS
} # server vmps
Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Cleaning up request 0 ID 234881024 with timestamp +1
Ready to process requests.

Looking at the source code, it seems the vmps code only runs the 
post-auth section and doesn't check any control variables, so 
Proxy-To-Realm is unlikely to work.

If this is intentional, could we remove the comments about proxying and 
pre/post proxy from sites-available/vmps?

Is there any reason the code doesn't run:

authorize
then either
   post-auth
or
   pre-proxy
   post-proxy
   post-auth

?

More information about the Freeradius-Users mailing list