Overriding proxy response

Eric eric at ipergy.net
Sun Oct 4 20:27:25 CEST 2009


Hi All,

Any pointers on how to start hacking the source?

What I need to do is look for MS-CHAP-Error 648 (which means the 
password needs to be changed) and then add a different IP address and 
filter + DNS server information in order for the end-user to be 
redirected to a webserver.

I can't do all of it in rlm_perl because I need to proxy to a windows IAS.

Cheers

John Morrissey wrote:
 > I would like to override failed (rejected, timed out) proxy responses 
with
 > local authentication data. IOW, if the proxy request fails, I want to
 > process the request locally.

   That can't really be done with the current server.  You will need to
hack the source code to get this done.

 > It looks like the proxy reply trumps local 
authorization/authentication, and
 > I can't find a way to override the proxy's response code.

   Yes.  There is usually ONE source for authentication.  Turning a
reject into an accept is a *very* unusual practice.

 > If this was the opposite way (don't proxy for accounts that exist 
locally),
 > it seems I could remove Proxy-To-Realm to prevent proxying.
 >
 > Is there a way to do the opposite (perform proxying and override the 
proxy's
 > response with local auth)?

   No.

   Alan DeKok.



More information about the Freeradius-Users mailing list