Proxy based on request attribute content, not username realm
Alan DeKok
aland at deployingradius.com
Tue Feb 9 17:49:52 CET 2010
Oliver Gorwits wrote:
> I'd welcome some guidance on configuring FreeRADIUS (any version) to
> select a onward proxy server(s) based on a RADIUS request attribute,
> and not the username's realm.
In 2.1.7 and earlier, create a fake realm (e.g. foo.bar.baz), and fill
out the normal home servers, pools, etc. Then do:
authorize {
...
update control {
Proxy-To-Realm := "foo.bar.baz"
}
...
}
In 2.1.8, you can skip creating the realm. Just create home servers,
pools, and do:
update control {
Home-Server-Pool := "pool-name"
}
> The specific situation is that it would be useful to proxy based on
> the wireless SSID to which a user is authenticating. In our Cisco
> system, this information comes in via the Called-Station-Id
> attribute of the request packet.
See "man unlang" for generic instructions on creating policies.
authorize {
...
if (Called-Station-Id =~ /foo/) {
update control {
...
}
}
...
}
> We're open to any kind of solution, including setting dummy realms,
> or using the rlm_perl module, but would appreciate any pointers you
> have, and details on the processing order within FreeRADIUS to make
> sure we set things up properly.
>
> (Yes, it's also possible just to configure different RADIUS servers
> directly on the Cisco system per SSID, but we'd much prefer to have
> one RADIUS configuration there, and proxy onwards from FreeRADIUS.)
Yup. That's usually the safest solution, too.
Alan DeKok.
More information about the Freeradius-Users
mailing list