Proxying VMPS requests
Phil Mayers
p.mayers at imperial.ac.uk
Wed Feb 6 17:54:27 CET 2008
A.L.M.Buxey at lboro.ac.uk wrote:
> hi,
>
> we use FR with the VMPS module - and i can see the gotchas
> with trying to run it through some of the other modules.
I'm sure there are some, but I can't rationalise them out for myself;
what are they? Or do you mean that some modules obviously won't work on
VMPS requests?
Obviously for proxying you'd need to sanitise the packet first:
server vmps {
authorize {
update request {
NAS-IP-Address = "%{VMPS-Client-IP-Address}"
NAS-Port = "%{VMPS-Port}"
Calling-Station-Id = "%{VMPS-MAC}"
}
# blah blah
preprocess
files
# maybe proxy
if (My-Attr == "remote") {
update control {
Proxy-To-Realm := "remote"
}
}
}
pre-proxy {
detail
}
post-auth {
sql_log
}
}
>
> what we have is the VMPS calling post-auth - which runs
> a PERL module. the PERL module does our dirty work (check
> validity, return the correct VLAN etc) - but theres
> no reason why PERL or Python etc couldnt be used to query
> your MACAUTH server instead (?)
Sure; In fact, I've got this working:
vmps {
# lookup the zone in out database
update request {
ICzone = "%{sql:select ... where mac='%{VMPS-MAC}'}"
}
if (ICzone == "blah") {
# some site-specific stuff
}
update reply {
VMPS-Packet-Type = VMPS-Join-Response
VMPS-VLAN-Name = "%{ICzone}"
VMPS-Cookie = "%{VMPS-Mac}"
}
# log to sql
sql_log
}
I merely mention it because the sites-available does say the request can
be proxied, and in fact it looks like it cannot. But it's not a big
problem by any means.
More information about the Freeradius-Users
mailing list