How to set User-Profile for roaming (proxied) users

Alan DeKok aland at deployingradius.com
Fri Jul 18 05:31:44 CEST 2014 

Jonathan wrote:
> - I'm running Freeradius 2.2.5 with local users in SQL database
> - We have roaming users utilizing our network infrastructure, but these
> users do not exist in our own local database and need to be proxied for
> authentication/accounting
> - normal proxying and authentication/accounting is going well.

  That's all good.

> Setup: Roaming user <-> OUR_INFRA+RADIUS <-> ROAMING_RADIUS
> 
> Since it's an international roaming agreement, I have configured a
> catch-all REALM which do not match our owns to be send their:
> 
> realm "~.+$" {
>         pool                    = ROAMING
>         nostrip
> }

  Hmm... why?  The DEFAULT realm exists for precisely this purpose.  See
raddb/proxy.conf.

> I now want to assign a user-profile for these users so that I can
> pre-authorize them using our own policies.

  OK.  The User-Profile in FreeRADIUS isn't used for much.  Maybe LDAP,
IIRC.

> For example:
> 
> 1) roaming is only allowed on weekends and weektime during evenings
> 2) per user, only 1 roaming session is allowed
> 3) per user volume limiting based on a user-profile for this roaming
> agreement (User-Profile := "roaming")
> 
> I've tried both methods below to set this in the authorize section as
> follows:
> 
> authorize{
> ...
>  sql
>  if (notfound}
>   update control {
>     User-Profile := "roaming"
>  }
> }

  What do you expect that to do?  All it does is set an attribute.  It
doesn't do anything *else* with it.

> realm "~.+$" {
>         pool                    = ROAMING
>         nostrip
>   update control {
>     User-Profile := "roaming"
>  }
> }

  That won't work.  No documentation says you can put an "update"
section into a "realm" configuration.

> but none are working, i've also tried proxy-request and request as
> update statements.

  Why?

> How can I assign profiles to roaming users who do not exist in our local
> database for authentication, but are accounted for locally.

  You don't assign "profiles", for one.  You can't just set
"User-Profile = roaming" and expect tons of things to magically start
working.  You have to configure each thing individually.  Then, put them
all together.

  i.e. if you don't use the "User-Profile" attribute for *local* users,
setting it for roaming users won't do anything.

  So for your list above, you've got to check

(1), in the "authorize" section, after the "suffix" module:

  if (realm == DEFAULT && time is weekend or evening) {
      reject
  }

  See "man unlang" for syntax.  See the logintime module for how to
check dates and time ranges.

(2) Set "Simultaneous-Use = 1" for all the roaming users.

(3) volume limiting isn't in standard RADIUS.  See your NAS
documentation for how to configure it.

  Alan DeKok.

More information about the Freeradius-Users mailing list