Filtering VLAN assignmen in eduroam

Angel L. Mateo amateo at
Tue Nov 24 14:01:18 CET 2015


	I'm using freeradius 3.0.10 to authenticate eduroam connections.

	In my inner server I return attributes to assign VLAN to our internal 
users and I want these attributes to be filtered when the connection is 
from an external organization.

	So in the outer server I have:

   post-proxy {

	and in the file I have:

         Service-Type == Framed-User,
         Service-Type == Login-User,
         Login-Service == Telnet,
         Login-Service == Rlogin,
         Login-Service == TCP-Clear,
         Login-TCP-Port <= 65536,
         Framed-IP-Address ==,
         Framed-IP-Netmask ==,
         Framed-Protocol == PPP,
         Framed-Protocol == SLIP,
         Framed-Compression == Van-Jacobson-TCP-IP,
         Framed-MTU >= 576,
         Framed-Filter-ID =* ANY,
         Reply-Message =* ANY,
         Proxy-State =* ANY,
         EAP-Message =* ANY,
         Message-Authenticator =* ANY,
         MS-MPPE-Recv-Key =* ANY,
         MS-MPPE-Send-Key =* ANY,
         MS-CHAP-MPPE-Keys =* ANY,
         State =* ANY,
         Session-Timeout <= 28800,
         Idle-Timeout <= 600,
         Calling-Station-Id =* ANY,
         Operator-Name =* ANY,
         Port-Limit <= 2,
         GSS-Acceptor-Service-Name =* ANY,
         GSS-Acceptor-Host-Name =* ANY,
         GSS-Acceptor-Service-Specifics =* ANY,
         GSS-Acceptor-Realm-Name =* ANY,
         SAML-AAA-Assertion =* ANY,
         EAP-Channel-Binding-Message =* ANY

	According to attr_filter documentation, if I don't have the 
Tunnel-Private-Group-Id in this file, then the attribute should be 
filtered, isn't it?

	But, the attribute is not being filtered. It is returned to my upper 
radius server.

	Any help?

Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
Tfo: 868887590
Fax: 868888337

More information about the Freeradius-Users mailing list