pre-proxy ?
Iliya Peregoudov
iperegudov at cboss.ru
Thu Mar 19 07:40:59 CET 2015
On 18.03.2015 17:24, Olivier CALVANO wrote:
> there is no one who needed to change the IP of the NAS to the proxy L2TP?
Noone doing that because that is just plain wrong.
It's completely unclear now what are you going to achieve by making
random changes in random places of your server config.
You've started by stating that you need to tell supplier NAS to
establish compulsory tunnel toward customer NAS. This can be done by
adding Tunnel-Server-Endpoint into Access-Accept when proxying it back
from customer home server to supplier proxy server (in post-proxy section).
Now you've realised that NAS-IP-Address of Access-Request should be
modified when proxying it forward from supplier proxy server to customer
home server. Why do you think this is necessary?
> 2015-03-18 13:11 GMT+01:00 Olivier CALVANO <o.calvano at gmail.com>:
>
>> ok, i have added to raddb/sites-available/default :
>>
>> if ("%{Packet-Src-IP-Address}" == "192.168.10.100") {
>> update request {
>> NAS-IP-Address := "172.17.10.250"
>> }
>> }
>>
>>
>> but no change ;=)
>>
>> i receive the request of my suplier:
>>
>> rad_recv: Access-Request packet from host 192.168.10.100 port 45471,
>> id=48, length=175
>> Proxy-State = 0x78d027c7
>> User-Name = "test at customer.myrealm"
>> Acct-Session-Id = "0305322696"
>> CHAP-Password = 0x2begedk88395d0b869e1b950292
>> Calling-Station-Id = "#BSPUT116#DSMIC109,1#105#50"
>> NAS-Port-Type = ADSL-DMT
>> NAS-Port = 1097400370
>> NAS-IP-Address = 193.xx.xx.177
>> Called-Station-Id = "DSL_MAX2"
>> CHAP-Challenge = 0x3c405f155fhjs8kdjf411ee9861627
>> Proxy-State = 0x313532
>>
>> after i have :
>>
>> +group pre-proxy {
>> ++? if ("%{Packet-Src-IP-Address}" == "192.168.10.100")
>> expand: %{Packet-Src-IP-Address} -> 192.168.10.100
>> ? Evaluating ("%{Packet-Src-IP-Address}" == "192.168.10.100") -> TRUE
>> ++? if ("%{Packet-Src-IP-Address}" == "192.168.10.100") -> TRUE
>> ++if ("%{Packet-Src-IP-Address}" == "192.168.10.100") {
>> +++update request {
>> +++} # update request = noop
>> ++} # if ("%{Packet-Src-IP-Address}" == "192.168.10.100") = noop
>> +} # group pre-proxy = noop
>>
>> and he sent the request to the proxy of my customer:
>>
>> Sending Access-Request of id 24 to 1x.Xx.Xx.8 port 1812
>> Proxy-State = 0x78d027cc
>> User-Name = "test at customer.myrealm"
>> Acct-Session-Id = "0305322889"
>> CHAP-Password = 0x3c405f155fhjs8kdjf411ee9861627
>> Calling-Station-Id = "#BSPUT116#DSMIC109,1#105#50"
>> NAS-Port-Type = ADSL-DMT
>> NAS-Port = 1097400370
>> NAS-IP-Address = 193.xx.xx.177
>> NAS-Identifier = "BSPUT116"
>> Called-Station-Id = "DSL_MAX2"
>> CHAP-Challenge =0x3c405f155fhjs8kdjf411ee9861627
>> Proxy-State = 0x313537
>> Message-Authenticator := 0x00000000000000000000000000000000
>> Proxy-State = 0x3732
>>
>>
>> he don't have change the NAS-IP-Address
>> a error of me ?
>>
>>
>> and if i want add to the "if" the realm:
>>
>> if (("%{Packet-Src-IP-Address}" == "192.168.10.100") && (Realm =~
>> /customer.myrealm/)) {
>>
>> that's work for username at customer.myrealm and subdomaine ?
>> (username at demo.customer.myrealm)
>>
>>
>> regards
>> Olivier
>>
>>
>>
>> 2015-03-18 11:59 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:
>>
>>> On 18.03.2015 10:35, Olivier CALVANO wrote:
>>>
>>>> Thanks for your return.
>>>>
>>>> not exactly, because the NAS of my suplier can't interact directly with
>>>> the
>>>> NAS of my customer. this has to go through my Cisco NAS.
>>>>
>>>> in the file proxy.conf, we can add a pre proxy action ?
>>>> pre-proxy and post-proxy are managed in that file?
>>>>
>>>
>>> Pre-proxy section is used to modify request received from RADIUS client
>>> (e.g NAS or downstream proxy server) before sending it to home server.
>>> Post-proxy section is used to modify response received from home server
>>> before sending it back to RADIUS client. Both pre-proxy section and
>>> post-proxy section are configured in raddb/sites-available/default.
>>>
>>>
>>> 2015-03-18 7:59 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:
>>>>
>>>> If I understand correctly there are supplier NAS, supplier proxy server,
>>>>> your proxy server, customer proxy server and customer NAS. Your goal is
>>>>> to
>>>>> make supplier NAS to establish compulsory tunnel to customer NAS.
>>>>>
>>>>> CPE========Suplier NAS==================Customer NAS=====Customer net
>>>>> | |
>>>>> Supplier Your Customer
>>>>> proxy server----proxy server----home server
>>>>>
>>>>> Your proxy server should first proxy Access-Request from supplier proxy
>>>>> server to customer home server, then wait for customer home server
>>>>> response, then add Tunnel-Server-Endpoint attribute to the response and
>>>>> proxy the response back to supplier proxy server. This can be done in
>>>>> post-proxy section.
>>>>>
>>>>> When supplier NAS receive Access-Accept with Tunnel-Server-Endpoint it
>>>>> will establish compulsory tunnel to customer NAS. Customer NAS will send
>>>>> Access-Request to customer home server. There is no apparent reason for
>>>>> customer NAS to send Access-Request to your proxy server instead.
>>>>>
>>>>>
>>>>>
>>>>> On 18.03.2015 9:10, Olivier CALVANO wrote:
>>>>>
>>>>> Hi
>>>>>>
>>>>>> I am new in Freeradius and i am search a small help.
>>>>>>
>>>>>>
>>>>>> - I receive a Radius Access request of the radius of my supplier.
>>>>>> this Radius have the ip address 192.168.10.100
>>>>>>
>>>>>> - Based on the realm, i forward the request to my customer.
>>>>>>
>>>>>> i want add in the process a action before sent the request to my
>>>>>> customer.
>>>>>>
>>>>>> Actually i have:
>>>>>>
>>>>>> in proxy.conf
>>>>>>
>>>>>> home_server rad-auth-primaire-1.customer_realm.myrealm {
>>>>>> type = auth
>>>>>> ipaddr = 172.16.1.1
>>>>>> port = 1812
>>>>>> secret = password
>>>>>> require_message_authenticator = yes
>>>>>> response_window = 20
>>>>>> zombie_period = 40
>>>>>> status_check = status-server
>>>>>> check_interval = 20
>>>>>> num_answers_to_alive = 3
>>>>>> }
>>>>>>
>>>>>>
>>>>>> home_server_pool pool-auth.customer_realm.myrealm {
>>>>>> type = fail-over
>>>>>> home_server = rad-auth-primaire-1.customer_realm.myrealm
>>>>>> home_server = rad-auth-secondaire-1.customer_realm.myrealm
>>>>>> }
>>>>>>
>>>>>>
>>>>>> realm "~(customer_realm.myrealm)" {
>>>>>> auth_pool = pool-auth.customer_realm.myrealm
>>>>>> nostrip
>>>>>> }
>>>>>>
>>>>>>
>>>>>> i want add this action:
>>>>>>
>>>>>> Before sent the access request to my customer, i want that my radius
>>>>>> answer
>>>>>> to the
>>>>>> radius server of my supplier a Access-Accept with a:
>>>>>> Tunnel-Server-Endpoint:0 = "172.17.10.250"
>>>>>>
>>>>>> With this information, my supplier sent the tunnel to 172.17.10.250,
>>>>>> it's
>>>>>> a
>>>>>> Cisco router, when i receive the tunnel he sent a access request to my
>>>>>> radius and i want that my radius forward the request to the radius
>>>>>> server
>>>>>> of my customer with a :
>>>>>> NAS-IP-Address = 172.17.10.250
>>>>>>
>>>>>> It's possible ?
>>>>>>
>>>>>> CPE Customer ==> My_Cisco_172.17.10.250 ==> Cisco of my Customer
>>>>>> (replied
>>>>>> in radius tunnel end point)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I don't know what file i modify for this, policy.conf ? other ?
>>>>>>
>>>>>> very very new ;=)
>>>>>>
>>>>>> thanks for your help
>>>>>> Olivier
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>>> list/users.html
>>>>>>
>>>>>>
>>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>> list/users.html
>>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>> list/users.html
>>>
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list