Proxying to a virtual server through unlang?

Arnaud Loonstra arnaud at
Tue Jan 3 08:40:22 CET 2012

Hi All,

I'm trying to get into the unlang world since it seems really powerful 
but I can't get my hands around a simple virtual server switching scenario.

I basically want to switch to a virtual server based on some attributes, 
Service-Type for instance. This is because on some network hardware I 
can't add a radius server for every type of authentication. So 
everything (802.1x, mac-auth, prompt auth goes to the same server)

I found a thread suggesting to do the following:

authorize {
	switch "Service-Type" {
		#MAC authentication
		case 'Call-Check' {
			update control {
		#NAS console authentication
		case 'NAS-Prompt-User' {
			update control {

This works as the debug logs shows:
# Executing section authorize from file 

However it only executes the authorize section of the nas-auth virtual 

I could create realms for the virtual servers and proxy to them by
using Proxy-To-Realm := "mac-auth" instead of the server[] directive. 
But I kind of liked the minimal unlang approach. Is there any good way 
of accomplishing this purely with unlang or is it still best to use the 
proxying approach using realms?

Here's a log of the process. As you can see it only issues the authorize 
section of the nas-auth virtual server as apposed to going through the 
full server when using Proxy-To-Realm.

rad_recv: Access-Request packet from host port 1025, id=152, 
	User-Name = "testusr"
	User-Password = "testpwd"
	NAS-IP-Address =
	NAS-Identifier = "ST-AN07258-412"
	NAS-Port-Type = Virtual
	Service-Type = NAS-Prompt-User
	Message-Authenticator = 0x63ee5e1b0f7b81e883780f9e57c2941c
# Executing section authorize from file 
+- entering group authorize {...}
++[preprocess] returns ok
++- entering switch Service-Type {...}
+++- entering case NAS-Prompt-User {...}
server nas-auth { # nested call
# Executing section authorize from file 
+- entering group authorize {...}
++? if (Service-Type == 'NAS-Prompt-User')
? Evaluating (Service-Type == 'NAS-Prompt-User') -> TRUE
++? if (Service-Type == 'NAS-Prompt-User') -> TRUE
++- entering if (Service-Type == 'NAS-Prompt-User') {...}
[edir-ldap] performing user authorization for testusr
[edir-ldap] 	expand: %{Stripped-User-Name} ->
[edir-ldap] 	... expanding second conditional
[edir-ldap] 	expand: %{User-Name} -> testusr
[edir-ldap] 	expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
[edir-ldap] 	expand: ou=users,o=radius -> ou=users,o=radius
   [edir-ldap] ldap_get_conn: Checking Id: 0
   [edir-ldap] ldap_get_conn: Got Id: 0
   [edir-ldap] performing search in ou=users,o=radius, with filter 
[edir-ldap] checking if remote access for testusr is allowed by cn
[edir-ldap] Added the eDirectory password testpwd in check items as 
[edir-ldap] No default NMAS login sequence
[edir-ldap] looking for check items in directory...
[edir-ldap] looking for reply items in directory...
[edir-ldap] user testusr authorized to use remote access
   [edir-ldap] ldap_release_conn: Release Id: 0
+++[edir-ldap] returns ok
++- if (Service-Type == 'NAS-Prompt-User') returns ok
++ ... skipping else for request 4: Preceding "if" was taken
} # server nas-auth with nested call
++++[server[nas-auth]] returns ok
+++- case NAS-Prompt-User returns ok
++- switch Service-Type returns ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
Login OK: [testusr] (from client primary-network port 0)
# Executing section post-auth from file 
+- entering group post-auth {...}
++[exec] returns noop
++? if ("%{request:Calling-Station-Id}" =~ 
	expand: %{request:Calling-Station-Id} ->
? Evaluating ("%{request:Calling-Station-Id}" =~ 
++? if ("%{request:Calling-Station-Id}" =~ 
) -> FALSE
++[callingstationid2vlanid] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++[reply] returns notfound
Sending Access-Accept of id 152 to port 1025
	Service-Type = Framed-User
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "132"


Concordiastraat 67A
3551 EM Utrecht
The Netherlands

More information about the Freeradius-Users mailing list