Attribute filtering

Alan Batie alan at peak.org
Thu Feb 11 21:43:08 CET 2016


I'm having some trouble with attribute filtering:  we're preparing to
move from router assigned ip addressing to radius pool assignment.  For
initial testing, I thought I'd just add a Pool-Name to the user check
items for a few test accounts.  That doesn't work because the
Framed-IP-Address that tells the router to do the assignment is added in
the group reply items, which prevents sqlippool from doing an
assignment.  It's probably possible to do a convoluted sql statement in
the group lookup, but that would be...convoluted.  Our solution was to
just create separate groups for these cases, but I would like to figure
out how to do overrides like this.

What I looked for was an operator to remove an attribute, but that
doesn't seem to exist - you can only add them.

I noticed the attr_filter module, and tried that with:

mods-config/attr_filter/framed_ip_address:

if (&control:Pool-Nmae && &control:Pool-Name != "") {
        Framed-IP-Address !* ANY
}

If I read that module right, it filters out anything that doesn't match
the given patterns, but that doesn't seem to do anything:

(2) Thu Feb 11 12:16:27 2016: Debug: attr_filter.framed_ip_address:
EXPAND %{Framed-IP-Address}
(2) Thu Feb 11 12:16:27 2016: Debug: attr_filter.framed_ip_address:    -->
(2) Thu Feb 11 12:16:27 2016: Debug:     [attr_filter.framed_ip_address]
= noop

was the debug output in all cases and Framed-IP-Address was left alone.

The only thing that did work was putting this in a perl module:

sub post_auth {
       if (defined($RAD_CHECK{'Pool-Name'})) {
           delete $RAD_REPLY{'Framed-IP-Address'};
       }

       return RLM_MODULE_OK;
}

but using perl seems heavy-handed for a simple task like this, so I'm
wondering what the "approved" mechanism for deleting an attribute is?

Thanks...



More information about the Freeradius-Users mailing list