pre-proxy ?

Olivier CALVANO o.calvano at gmail.com
Thu Mar 19 15:10:12 CET 2015 

I managed to do what I wanted, now attributes radius looks good.


thanks

2015-03-19 7:40 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:

> On 18.03.2015 17:24, Olivier CALVANO wrote:
>
>> there is no one who needed to change the IP of the NAS to the proxy L2TP?
>>
>
> Noone doing that because that is just plain wrong.
>
> It's completely unclear now what are you going to achieve by making random
> changes in random places of your server config.
>
> You've started by stating that you need to tell supplier NAS to establish
> compulsory tunnel toward customer NAS. This can be done by adding
> Tunnel-Server-Endpoint into Access-Accept when proxying it back from
> customer home server to supplier proxy server (in post-proxy section).
>
> Now you've realised that NAS-IP-Address of Access-Request should be
> modified when proxying it forward from supplier proxy server to customer
> home server. Why do you think this is necessary?
>
>
>  2015-03-18 13:11 GMT+01:00 Olivier CALVANO <o.calvano at gmail.com>:
>>
>>  ok, i have added to raddb/sites-available/default :
>>>
>>>          if ("%{Packet-Src-IP-Address}" == "192.168.10.100") {
>>>                  update request {
>>>                          NAS-IP-Address := "172.17.10.250"
>>>                  }
>>>          }
>>>
>>>
>>> but no change ;=)
>>>
>>> i receive the request of my suplier:
>>>
>>> rad_recv: Access-Request packet from host 192.168.10.100 port 45471,
>>> id=48, length=175
>>>          Proxy-State = 0x78d027c7
>>>          User-Name = "test at customer.myrealm"
>>>          Acct-Session-Id = "0305322696"
>>>          CHAP-Password = 0x2begedk88395d0b869e1b950292
>>>          Calling-Station-Id = "#BSPUT116#DSMIC109,1#105#50"
>>>          NAS-Port-Type = ADSL-DMT
>>>          NAS-Port = 1097400370
>>>          NAS-IP-Address = 193.xx.xx.177
>>>          Called-Station-Id = "DSL_MAX2"
>>>          CHAP-Challenge = 0x3c405f155fhjs8kdjf411ee9861627
>>>          Proxy-State = 0x313532
>>>
>>> after i have :
>>>
>>> +group pre-proxy {
>>> ++? if ("%{Packet-Src-IP-Address}" == "192.168.10.100")
>>>          expand: %{Packet-Src-IP-Address} -> 192.168.10.100
>>> ? Evaluating ("%{Packet-Src-IP-Address}" == "192.168.10.100") -> TRUE
>>> ++? if ("%{Packet-Src-IP-Address}" == "192.168.10.100") -> TRUE
>>> ++if ("%{Packet-Src-IP-Address}" == "192.168.10.100") {
>>> +++update request {
>>> +++} # update request = noop
>>> ++} # if ("%{Packet-Src-IP-Address}" == "192.168.10.100") = noop
>>> +} # group pre-proxy = noop
>>>
>>> and he sent the request to the proxy of my customer:
>>>
>>> Sending Access-Request of id 24 to 1x.Xx.Xx.8 port 1812
>>>          Proxy-State = 0x78d027cc
>>>          User-Name = "test at customer.myrealm"
>>>          Acct-Session-Id = "0305322889"
>>>          CHAP-Password = 0x3c405f155fhjs8kdjf411ee9861627
>>>          Calling-Station-Id = "#BSPUT116#DSMIC109,1#105#50"
>>>          NAS-Port-Type = ADSL-DMT
>>>          NAS-Port = 1097400370
>>>          NAS-IP-Address = 193.xx.xx.177
>>>          NAS-Identifier = "BSPUT116"
>>>          Called-Station-Id = "DSL_MAX2"
>>>          CHAP-Challenge =0x3c405f155fhjs8kdjf411ee9861627
>>>          Proxy-State = 0x313537
>>>          Message-Authenticator := 0x00000000000000000000000000000000
>>>          Proxy-State = 0x3732
>>>
>>>
>>> he don't have change the NAS-IP-Address
>>> a error of me ?
>>>
>>>
>>> and if i want add to the "if" the realm:
>>>
>>> if (("%{Packet-Src-IP-Address}" == "192.168.10.100") && (Realm =~
>>> /customer.myrealm/)) {
>>>
>>> that's work for username at customer.myrealm and subdomaine ?
>>> (username at demo.customer.myrealm)
>>>
>>>
>>> regards
>>> Olivier
>>>
>>>
>>>
>>> 2015-03-18 11:59 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:
>>>
>>>  On 18.03.2015 10:35, Olivier CALVANO wrote:
>>>>
>>>>  Thanks for your return.
>>>>>
>>>>> not exactly, because the NAS of my suplier can't interact directly with
>>>>> the
>>>>> NAS of my customer. this has to go through my Cisco NAS.
>>>>>
>>>>> in the file proxy.conf, we can add a pre proxy action ?
>>>>> pre-proxy and post-proxy are managed in that file?
>>>>>
>>>>>
>>>> Pre-proxy section is used to modify request received from RADIUS client
>>>> (e.g NAS or downstream proxy server) before sending it to home server.
>>>> Post-proxy section is used to modify response received from home server
>>>> before sending it back to RADIUS client. Both pre-proxy section and
>>>> post-proxy section are configured in raddb/sites-available/default.
>>>>
>>>>
>>>>   2015-03-18 7:59 GMT+01:00 Iliya Peregoudov <iperegudov at cboss.ru>:
>>>>
>>>>>
>>>>>   If I understand correctly there are supplier NAS, supplier proxy
>>>>> server,
>>>>>
>>>>>> your proxy server, customer proxy server and customer NAS. Your goal
>>>>>> is
>>>>>> to
>>>>>> make supplier NAS to establish compulsory tunnel to customer NAS.
>>>>>>
>>>>>> CPE========Suplier NAS==================Customer NAS=====Customer net
>>>>>>                  |                             |
>>>>>>              Supplier         Your          Customer
>>>>>>            proxy server----proxy server----home server
>>>>>>
>>>>>> Your proxy server should first proxy Access-Request from supplier
>>>>>> proxy
>>>>>> server to customer home server, then wait for customer home server
>>>>>> response, then add Tunnel-Server-Endpoint attribute to the response
>>>>>> and
>>>>>> proxy the response back to supplier proxy server. This can be done in
>>>>>> post-proxy section.
>>>>>>
>>>>>> When supplier NAS receive Access-Accept with Tunnel-Server-Endpoint it
>>>>>> will establish compulsory tunnel to customer NAS. Customer NAS will
>>>>>> send
>>>>>> Access-Request to customer home server. There is no apparent reason
>>>>>> for
>>>>>> customer NAS to send Access-Request to your proxy server instead.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 18.03.2015 9:10, Olivier CALVANO wrote:
>>>>>>
>>>>>>   Hi
>>>>>>
>>>>>>>
>>>>>>> I am new in Freeradius and i am search a small help.
>>>>>>>
>>>>>>>
>>>>>>> - I receive a Radius Access request of the radius of my supplier.
>>>>>>> this Radius have the ip address 192.168.10.100
>>>>>>>
>>>>>>> - Based on the realm, i forward the request to my customer.
>>>>>>>
>>>>>>> i want add in the process a action before sent the request to my
>>>>>>> customer.
>>>>>>>
>>>>>>> Actually i have:
>>>>>>>
>>>>>>> in proxy.conf
>>>>>>>
>>>>>>> home_server rad-auth-primaire-1.customer_realm.myrealm {
>>>>>>>            type            = auth
>>>>>>>            ipaddr          = 172.16.1.1
>>>>>>>            port            = 1812
>>>>>>>            secret          = password
>>>>>>>            require_message_authenticator = yes
>>>>>>>            response_window = 20
>>>>>>>            zombie_period   = 40
>>>>>>>            status_check    = status-server
>>>>>>>            check_interval  = 20
>>>>>>>            num_answers_to_alive = 3
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> home_server_pool pool-auth.customer_realm.myrealm {
>>>>>>>            type = fail-over
>>>>>>>            home_server = rad-auth-primaire-1.customer_realm.myrealm
>>>>>>>            home_server = rad-auth-secondaire-1.
>>>>>>> customer_realm.myrealm
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> realm "~(customer_realm.myrealm)" {
>>>>>>>            auth_pool = pool-auth.customer_realm.myrealm
>>>>>>>            nostrip
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> i want add this action:
>>>>>>>
>>>>>>> Before sent the access request to my customer, i want that my radius
>>>>>>> answer
>>>>>>> to the
>>>>>>> radius server of my supplier a Access-Accept with a:
>>>>>>>        Tunnel-Server-Endpoint:0 = "172.17.10.250"
>>>>>>>
>>>>>>> With this information, my supplier sent the tunnel to 172.17.10.250,
>>>>>>> it's
>>>>>>> a
>>>>>>> Cisco router, when i receive the tunnel he sent a access request to
>>>>>>> my
>>>>>>> radius and i want that my radius forward the request to the radius
>>>>>>> server
>>>>>>> of my customer with a :
>>>>>>>        NAS-IP-Address = 172.17.10.250
>>>>>>>
>>>>>>> It's possible ?
>>>>>>>
>>>>>>> CPE Customer ==> My_Cisco_172.17.10.250 ==> Cisco of my Customer
>>>>>>> (replied
>>>>>>> in radius tunnel end point)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I don't know what file i modify for this, policy.conf ? other ?
>>>>>>>
>>>>>>> very very new ;=)
>>>>>>>
>>>>>>> thanks for your help
>>>>>>> Olivier
>>>>>>> -
>>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>>>> list/users.html
>>>>>>>
>>>>>>>
>>>>>>>   -
>>>>>>>
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>>> list/users.html
>>>>>>
>>>>>>  -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>> list/users.html
>>>>>
>>>>>
>>>>>  -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>>>
>>>
>>>  -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list