Add VSA in pre-proxy stage

[Alan DeKok]

On Sep 11, 2020, at 10:06 AM, Arnaud LAURIOU <arnaud.lauriou at renater.fr> wrote:
> 
> Hello,
> 
> I'm trying to add a VSA in an Access-Request before proxing it to an authentification RADIUS server.
> 
> I use this attribute definition :
> BEGIN-VENDOR    FreeRADIUS      format=Extended-Vendor-Specific-1
> ATTRIBUTE       FreeRADIUS-Eduroam-Prevent-Loop         1 integer
> END-VENDOR      FreeRADIUS

  Please don't use VSAs you don't control.  We will likely add our own definitions which conflict with this one.

  If you do need custom VSAs, just use a custom vendor number, and create your own dictionary.  i.e. use a vendor number like 32000.  Which is used by someone, but 99.99% not for RADIUS.  So it's mostly OK.

> 
> I add this VSA in the pre-proxy stage, but I get :
> (0)   # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
> (0)     pre-proxy {
> ...
> (0)       if (!FreeRADIUS-Eduroam-Prevent-Loop) {
> (0)       if (!FreeRADIUS-Eduroam-Prevent-Loop)  -> TRUE
> (0)       if (!FreeRADIUS-Eduroam-Prevent-Loop)  {
> (0)         update request {

$ man unlang

	update proxy-request { 
		...

  :)

> (0)           &FreeRADIUS-Eduroam-Prevent-Loop := 1
> (0)         } # update request = noop
> (0)       } # if (!FreeRADIUS-Eduroam-Prevent-Loop)  = noop
> (0)       ... skipping else: Preceding "if" was taken
> 
> Why is the return state of this update to 'noop' ? I shoud not get a 'ok' or 'updated' return state ?

  Nope.  Reasons for that are complex, but it's fine.

  Alan DeKok.