Ascend-Data-Filter with srcip from ippool

Andreas Kalb (akalb) akalb at cisco.com
Mon Mar 31 17:14:16 CEST 2008 

Hello Alan,

pls see my response inline "akalb>". Thx for your quick feedback.

Kind Regards,

    Andreas 

-----Original Message-----
From: freeradius-users-bounces+akalb=cisco.com at lists.freeradius.org [mailto:freeradius-users-bounces+akalb=cisco.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Montag, 31. März 2008 16:29
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool

Andreas Kalb (akalb) wrote:
> I'm trying to use Ascend-data-filters together with IP-pool
...
> DEFAULT User-Name := "test_...", Cleartext-Password := test
...
>         Ascend-Data-Filter := "ip in forward srcip
> %{Framed-IP-Address}/32 dstip 1.1.1.2/32"
> 
> The pool is working well, but the filter doesn't:

  Because there's no Framed-IP-Address attribute in the request.  Use %{reply:Framed-IP-Address}.  For version 1.x, this is documented in doc/variables.txt.

akalb> Had a try with:
akalb> 
akalb>    Ascend-Data-Filter := "ip in forward srcip %{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32"
akalb> 
akalb> also, no difference. I expect because of order of modules you mentioned later.

> Login OK: [test_001/test] (from client bb-10k port 808583209)
>   Processing the post-auth section of radiusd.conf
> modcall: entering group post-auth for request 0
...
> rlm_ippool: Allocated ip 172.16.103.107 to client on nas 
> 172.16.1.7,port
> 808583209

  Which runs after the "files" module.  So the "files" module doesn't have access to the IP address.

akalb> Not sure how to see/change this:
        # Livingston-style 'users' file
        files {
...
      ippool test_pool {
...
        files
        files
...

> Looks like IP is taken from pool after users-file got processed. I 
> wouldn't know how to change that order or where to add the filter then.

  Read the documentation and see the examples.  The modules are processed in the order that they are listed in radiusd.conf.

akalb> I tried to look it up, but was unable so far, sorry. I need to mention that I'm new to FreeRadius at all, sorry.

> Pls let me know whether this should work in some way and how to 
> configure it then?

  It's pretty easy to do in 2.0.  See "man unlang".

  I suggest you upgrade.  What you want to do will be a LOT easier in 2.0.

akalb> I'll do right away.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list