Wipe existing reply attributes in rlm_files

Alan DeKok aland at deployingradius.com
Sat Oct 2 13:37:00 CEST 2010


Brian Candler wrote:
> Partly it's policy. We configure as much of this logic in users files as
> possible, because they can be updated without needing to restart radiusd.

  That's what databases are for.  And the virtual servers are reloaded
on HUP, too, just like the "users" file.

> But in future it will be a necessity. The project I'm working on involves
> authenticating users based on some attribute which identifies their physical
> location, not their User-Name.  So decisions you might have made in the past
> solely based on realm and NAS-IP (e.g. tunnel to X) have to be made after a
> database lookup.

  Exactly...

> That database lookup may add reply attributes, which will be needed by the
> terminating LNS, but not when tunnel switching.  So if the database
> identifies the user as category X, *and* the request comes from NAS-IP Y,
> then we have to strip the reply attributes and replace with tunnelling ones.

  That is nearly always the *wrong* thing to do.  It makes no sense to
add something, realize you got it wrong, and then replace it with
something else.

  Instead, just figure out the logic so that only the right things are
added in the right situation.  It will be simpler and easier to understand.

  10+ years of experience is behind that opinion.

  Alan DeKok.



More information about the Freeradius-Users mailing list