Filtering VLAN assignmen in eduroam
Josu Gil Arriortua
josu.gil at ehu.es
Wed Nov 25 09:26:43 CET 2015
Hi,
the filtering does not work also in freeradius 2.1.12, here at our
university we have the same problem with VLAN infos and tried the same
solution, filtering out the VLAN atributes via attr_filter ..... our
frerradius are still sending that info out to the proxy.
Our post-proxy:
post-proxy {
attr_filter.post-proxy
eap
}
Our attrs:
DEFAULT
Service-Type == Login-User,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
Proxy-state =* ANY,
Port-Limit <= 2,
MS-MPPE-Recv-Key =* ANY,
MS-MPPE-Send-Key =* ANY,
User-Name =* ANY,
EAP-Message =* ANY,
Message-Authenticator =* ANY,
Called-Station-Id =* ANY,
Calling-Station-Id =* ANY,
NAS-Port-Type =* ANY,
NAS-Port =* ANY,
State =* ANY,
NAS-IP-Address =* ANY,
NAS-Identifier =* ANY,
Proxy-State =* ANY
Any help regarding how to correctly configure it is welcomed.
Thanks,
Josu.
2015-11-24 15:48 GMT+01:00 <A.L.M.Buxey at lboro.ac.uk>:
> Hi,
>
> > I'm using freeradius 3.0.10 to authenticate eduroam connections.
> >
> > In my inner server I return attributes to assign VLAN to our
> > internal users and I want these attributes to be filtered when the
> > connection is from an external organization.
>
> then best common practice is to create a new set of virtual servers
> (eg eduroam and eduroam-inner-tunnel) and then any requests from your
> national proxy servers get sent to those instead.....and all that
> set of servers do is authenticate users and dont set VLANs etc - thus
> you have a very easy, controlled policy AND you arent looking
> up group membership etc etc - whereas what you propose is still looking
> up group membership and then filtering it out (very inefficient!)
>
> alan
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list