VLAN attribution in an eduroam setting - proxied users

Rui Ribeiro ruyrybeyro at gmail.com
Tue Dec 20 17:29:39 CET 2011


>
> Message: 2
> Date: Tue, 20 Dec 2011 13:22:48 +0100
> From: Stefan Winter <stefan.winter at restena.lu>
> Subject: Re: VLAN attribution in an eduroam setting - proxied users
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4EF07E18.30809 at restena.lu>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello Rui,
>
>> As for the VLAN attribution wether the user is a roaming user (i.e. goes
>> to a proxy to be authenticated), I have done several tries, without
>> sucess. Haven't managed to do it through the users file above;my last
>> attemp was trying to setting them up in the /etc/freeradius/attrs file
>> with attr_filter.post-proxy, however it seems to interfere with the
>> AEP/password negotiation. The setup is as follows, and I would like to ask
>> for an alternative of where to insert the roaming VLAN.
>>
>> post-proxy {
>>         post_proxy_log
>>         attr_filter.post-proxy	   # here <---------------------------
>>       Post-Proxy-Type Fail {
>>                         detail
>>         }
>> }
>
> The attr_filter module only controls what to strip out of the incoming
> reply, it can not be used to add new attributes. What you specified in
> the file:
>
>>         Tunnel-Type := "VLAN",
>>         Tunnel-Medium-Type := "IEEE-802",
>>         Tunnel-Private-Group-Id := "216",
>
> means: "Only leave these attributes in the reply packet if they have
> exactly these values, otherwise strip them out". That is obviously not
> what you want.
>
> The solution is rather simple with unlang:
>
> post-proxy {
>         post_proxy_log
>         update reply {
> 	         Tunnel-Type := "VLAN"
>         	 Tunnel-Medium-Type := "IEEE-802"
> 	         Tunnel-Private-Group-Id := "216"
>         }
>         Post-Proxy-Type Fail {
>             detail
>         }
> }
>
> (syntax is "free-handed", you should try this on a testing server first)
>
> Greetings,
>
> Stefan Winter
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et
> de la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
Stephan,

The point is not being capable of changing them, and in fact I have
both trying ulang and the attrs file -- and the debug information
shows they are indeed changed -- the point is that changing them at
that particular point seems to interfere with EAP/password
negotiation, and I haven't been able to find a specific point to
insert the VLAN quietly with roaming users.

Best regards,
Rui Ribeiro



More information about the Freeradius-Users mailing list