preproxy_users doesn't filter attributes
Michael da Silva Pereira
michael at tradepage.co.za
Mon Jul 7 17:07:41 CEST 2008
Ok this is for anybody else out there having the same question I have
regarding this.
There is no clear way to separate between which requests (from or to
home servers/post-proxy or pre-proxy). So I tried this with success:
Add this to the radiusd.conf, I added this under the "attr_filter {"
line, which is part of the "Modules" section in the config file.
attr_filter preproxy_attrfilter {
attrsfile = ${confdir}/preproxy_attrfilter
}
Then under the pre-proxy section before the "files" line add a line
"preproxy_attrfilter", Or before any custom auth stuff you have in
there. (example:)
pre-proxy {
preproxy_attrfilter
files
pre_proxy_log
}
Then add the filters into the file preproxy_attrfilter in
/etc/freeradius or whatever your config directory is called.
example:
REALM-HERE.com
NAS-IP-Address := xx.xx.xx.xx,
User-Name =* ANY,
User-Password =* ANY,
Calling-Station-Id =* ANY
Thanks,
Mike
Ivan Kalik wrote:
> Because the example is for one in post-proxy section. Try reading again:
>
> http://freeradius.org/radiusd/man/rlm_attr_filter.html
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 7/7/2008, "Michael da Silva Pereira" <michael at tradepage.co.za>
> piše:
>
>
>> Hi there,
>>
>>
>> It seems this only affects replies from the Home Server going to my NAS.
>> "
>> # attr_filter - filters the attributes received in replies from
>> # proxied servers, to make sure we send back to our RADIUS client
>> # only allowed attributes.
>> attr_filter {
>> attrsfile = ${confdir}/attrs
>> }
>> "
>>
>> I want to filter extra attributes sent from the NAS to the Home Server
>> basically.
>>
>> Thanks,
>> Mike
>>
>>
>> Ivan Kalik wrote:
>>
>>> It does tend to filter attributes when you use attribute filter ;-)
>>>
>>> http://freeradius.org/radiusd/man/rlm_attr_filter.html
>>>
>>> http://wiki.freeradius.org/Attrs
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>>
>>> Dana 7/7/2008, "Michael da Silva Pereira" <michael at tradepage.co.za>
>>> piše:
>>>
>>>
>>>
>>>> Hi All,
>>>>
>>>> I am wondering if anybody has done this, I'm sure it's actually very
>>>> easy to do, But I'm just not able to get it done :(
>>>>
>>>> I need to filter requests coming from my NAS going to my radius server
>>>> being forwarded to a clients radius server.
>>>> Now I am able to modify and update attributes, even add using
>>>> preproxy_users. but how on earth do I drop the attribute completely?
>>>>
>>>> Currently in preproxy_users:
>>>> DEFAULT Realm == "testrealm.com"
>>>> NAS-IP-Address := 196.3.121.32,
>>>> User-Name =* ANY,
>>>> User-Password =* ANY
>>>>
>>>> Other server still recieves:
>>>> 3GPP2-Correlation-Id
>>>> Calling-Station-Id
>>>> Framed-Protocol
>>>> User-Name
>>>> User-Password
>>>> Service-Type
>>>> NAS-IP-Address
>>>> NAS-Identifier
>>>> Proxy-State
>>>> User-Password
>>>> Client-IP-Address
>>>>
>>>> Kind regards,
>>>> Michael da silva Pereira
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>>>>
>>>>
>>>>
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>
>>>
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080707/d2903a01/attachment.html>
More information about the Freeradius-Users
mailing list