preproxy_users doesn't filter attributes

Michael da Silva Pereira michael at tradepage.co.za
Mon Jul 7 17:07:41 CEST 2008


Ok this is for anybody else out there having the same question I have 
regarding this.
There is no clear way to separate between which requests (from or to 
home servers/post-proxy or pre-proxy). So I tried this with success:

Add this to the radiusd.conf, I added this under the "attr_filter {" 
line, which is part of the "Modules" section in the config file.
attr_filter preproxy_attrfilter {
                attrsfile = ${confdir}/preproxy_attrfilter
}

Then under the pre-proxy section before the "files" line add a line 
"preproxy_attrfilter", Or before any custom auth stuff you have in 
there. (example:)
pre-proxy {
        preproxy_attrfilter
        files
        pre_proxy_log
}

Then add the filters into the file preproxy_attrfilter in 
/etc/freeradius or whatever your config directory is called.

example:

REALM-HERE.com
    NAS-IP-Address := xx.xx.xx.xx,
    User-Name =* ANY,
    User-Password =* ANY,
    Calling-Station-Id =* ANY


Thanks,
Mike

Ivan Kalik wrote:
> Because the example is for one in post-proxy section. Try reading again:
>
> http://freeradius.org/radiusd/man/rlm_attr_filter.html
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 7/7/2008, "Michael da Silva Pereira" <michael at tradepage.co.za>
> piše:
>
>   
>> Hi there,
>>
>>
>> It seems this only affects replies from the Home Server going to my NAS.
>> "
>>        # attr_filter - filters the attributes received in replies from
>>        # proxied servers, to make sure we send back to our RADIUS client
>>        # only allowed attributes.
>>        attr_filter {
>>                attrsfile = ${confdir}/attrs
>>        }
>> "
>>
>> I want to filter extra attributes sent from the NAS to the Home Server 
>> basically.
>>
>> Thanks,
>> Mike
>>
>>
>> Ivan Kalik wrote:
>>     
>>> It does tend to filter attributes when you use attribute filter ;-)
>>>
>>> http://freeradius.org/radiusd/man/rlm_attr_filter.html
>>>
>>> http://wiki.freeradius.org/Attrs
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>>>
>>> Dana 7/7/2008, "Michael da Silva Pereira" <michael at tradepage.co.za>
>>> piše:
>>>
>>>   
>>>       
>>>> Hi All,
>>>>
>>>> I am wondering if anybody has done this, I'm sure it's actually very
>>>> easy to do, But I'm just not able to get it done :(
>>>>
>>>> I need to filter requests coming from my NAS going to my radius server
>>>> being forwarded to a clients radius server.
>>>> Now I am able to modify and update attributes, even add using
>>>> preproxy_users. but how on earth do I drop the attribute completely?
>>>>
>>>> Currently in preproxy_users:
>>>> DEFAULT Realm == "testrealm.com"
>>>>    NAS-IP-Address := 196.3.121.32,
>>>>    User-Name =* ANY,
>>>>    User-Password =* ANY
>>>>
>>>> Other server still recieves:
>>>> 3GPP2-Correlation-Id
>>>> Calling-Station-Id
>>>> Framed-Protocol
>>>> User-Name
>>>> User-Password
>>>> Service-Type
>>>> NAS-IP-Address
>>>> NAS-Identifier
>>>> Proxy-State
>>>> User-Password
>>>> Client-IP-Address
>>>>
>>>> Kind regards,
>>>> Michael da silva Pereira
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>>>>
>>>>
>>>>     
>>>>         
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>
>>>   
>>>       
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>     
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080707/d2903a01/attachment.html>


More information about the Freeradius-Users mailing list