server selection

Alan DeKok aland at deployingradius.com
Fri Jan 9 15:40:02 CET 2009 

Norbert Wegener wrote:
>> 	update control {
>> 		Proxy-To-Realm := "%{sql:SELECT ... from.. where %{NAS-IP-Addres}"
>> 	}
>>   
> OK, but I did not yet hear about that before and it seems no topic for
> the mass media: googling for Proxy-To-Realm gives 94 results.

  It's not well documented...

> In a greater installation there are numerous different rules for vlan
> assignements. Before applying even the slightest configuration change to
> a production system, I want to make sure, that as much different
> configurations as possible have been checked to deliver those attributes
> that they are expected to.
> Obviously a part of those checks can be done using radtest. Running
> radtest with  nasip as an argument should  therefore bring freeradius to
> use the server the nasip belongs to, and not the server  the machine
> running radtest belongs to.

  Hmm... OK.  That's reasonable, and can be done.  But it may take some
minor effort.

  My $0.02:

- set up one fake realm for each virtual server
- point the realm to a home server pool
- point the home server pool to a home server
- point the home server to the virtual_server

  Then:

- create a "listen" section ONLY for testing
- point it to a "testing" virtual server
- configure a policy to switch over NAS-IP-Address:

	switch "%{NAS-IP-Address}" {
		case 1.2.3.4 {
			update control {
				Proxy-To-Realm = "home_server_foo"
			}
		}

	...

   It's a fair bit of typing, unfortunately.  I can take a look at
poking the code to simplify it a little bit.  i.e. create the listen
section for testing, and then in it, do:

	update control {
		Proxy-To-Virtual-Server :=
"%{config:client[%{NAS-IP-Address].virtual_server}"
	}

  i.e. proxy to a virtual server rather than a realm (this isn't
implemented yet).

  Then... look for a "client" section in the configuration, that has a
name matching the NAS-IP-Address of the current packet... and grab the
"virtual_server" configuration from that client section.

> Btw: Is eapol_test *the* tool to do such checks in an automated way for
> eap/tls authentications or is there a better one available?

  It's the best tool by far.  I'm thinking of deleting radeapclient from
the FreeRADIUS source, because it does a lot less.

  Alan DeKok.

More information about the Freeradius-Users mailing list