Filtering VLAN assignmen in eduroam
Angel L. Mateo
amateo at um.es
Tue Nov 24 14:01:18 CET 2015
Hello,
I'm using freeradius 3.0.10 to authenticate eduroam connections.
In my inner server I return attributes to assign VLAN to our internal
users and I want these attributes to be filtered when the connection is
from an external organization.
So in the outer server I have:
post-proxy {
eduroam_log
files_eduroam_outer.authorize
attr_filter.post-proxy
}
and in the attr_filter.post-proxy file I have:
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-CHAP-MPPE-Keys =* ANY,
State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Calling-Station-Id =* ANY,
Operator-Name =* ANY,
Port-Limit <= 2,
GSS-Acceptor-Service-Name =* ANY,
GSS-Acceptor-Host-Name =* ANY,
GSS-Acceptor-Service-Specifics =* ANY,
GSS-Acceptor-Realm-Name =* ANY,
SAML-AAA-Assertion =* ANY,
EAP-Channel-Binding-Message =* ANY
According to attr_filter documentation, if I don't have the
Tunnel-Private-Group-Id in this file, then the attribute should be
filtered, isn't it?
But, the attribute is not being filtered. It is returned to my upper
radius server.
Any help?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337
More information about the Freeradius-Users
mailing list