Directing request to virtual server

David Aldwinckle daldwinc at uwaterloo.ca
Thu Jan 16 17:33:47 CET 2014 

Hi All,

I have a NAS that sends two types of Access-Requests. They are VPN login (AnyConnect or IPSec), and CLI access for the NAS. I’m trying to direct the VPN requests into the virtual server “vpn”. I would like CLI requests to be handled by realm DEFAULT, so I’m trying to catch everything that doesn’t fit that category and direct it elsewhere.

Here is an example of a request:

---------------------------------
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] Received Access-Request packet from host <redacted> port 1025, id=24, length=185
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] User-Name = ""
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] User-Password =
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] NAS-Port = 229748736
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] Called-Station-Id = “<redacted>"
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] Calling-Station-Id = "<redacted>"
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] NAS-Port-Type = Virtual
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] Tunnel-Client-Endpoint:0 = "<redacted>"
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] NAS-IP-Address = <redacted>
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] Cisco-AVPair = "ip:source-ip=<redacted>"
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] Vendor-3076-Attr-146 = 0xxxxx
Tue Oct 22 07:50:46 2013 : Debug: [<thread>] Vendor-3076-Attr-150 = 0xxxxx
----------------------------------

What I am interested to know is if my way of accomplishing this task is efficient, or if there is a better way. I’m working on porting my configs to 3.0 and am striving for efficiency and simplicity.


I’ve added the two nameless attributes to /etc/raddb/dictionary


ATTRIBUTE       CPVN3000-Tunnel-Group-Name              146     string

ATTRIBUTE       CPVN3000-Client-Type                    150     string


I created hints for each possible value of "CPVN3000-Tunnel-Group-Name”


/etc/raddb/hints


DEFAULT         CPVN3000-Tunnel-Group-Name == “staff”, Strip-User-Name = Yes

                Hint = “VPN”


DEFAULT         CPVN3000-Tunnel-Group-Name == “guest”, Strip-User-Name = Yes

                Hint = “VPN”


In /etc/raddb/users…


DEFAULT         Hint == “VPN”, Proxy-To-Realm := “VPN_REALM”


And finally, in /etc/raddb/proxy.conf


Realm VPN_REALM {

        virtual_server = “vpn”

}



How does that look?


Regards,

Dave




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140116/150278c5/attachment-0001.html>

More information about the Freeradius-Users mailing list