On Thu, Mar 13, 2003 at 11:54:22AM -0500, freeradius mailing list wrote: > Now, what I want to do is make it change the realm that is added based on > an attribute that comes in. So maybe something like.
I have a solution but it is not very clean and i only tested it with freeradius 0.8.1 so i'm looking forward to hear about other solutions. 1st the users file: ----- cut ----- DEFAULT Called-Station-Id == 1005, Proxy-To-Realm := plop Realm = plop, Fall-Through = Yes DEFAULT Called-Station-Id == 1006, Proxy-To-Realm := plop Realm = plop, Fall-Through = Yes DEFAULT NAS-IP-Address == 192.168.100.153 Cisco-AVPair = Framed-Pool, Fall-Through = Yes ----- cut ----- Please note that Realm will not be fixed in the proxified packet there, it is only usefull for internal use (see below). Then the acct_users file: (pretty the same) ----- cut ----- DEFAULT Called-Station-Id == 1005, Proxy-To-Realm := plop Realm = plop, Fall-Through = Yes DEFAULT Called-Station-Id == 1006, Proxy-To-Realm := plop Realm = plop, Fall-Through = Yes ----- cut ----- And the radiusd.conf file: ----- cut ----- ... snipped ... modules { attr_rewrite force_username { attribute = User-Name searchin = packet searchfor = NULL replacewith = "[EMAIL PROTECTED]:Realm}" append = no new_attribute = no max_matches = 1 } attr_rewrite tweak_cisco { attribute = Cisco-AVPair searchin = reply searchfor = "Framed-Pool" replacewith = "ip:addr-pool=%{reply:Framed-Pool}" append = no new_attribute = no max_matches = 1 } ... snipped ... } instantiate { } pre_proxy { } post_proxy { } authorize { suffix files force_username tweak_cisco } authenticate { } preacct { suffix files force_username } accounting { } ----- cut ----- With this configuration here is what happens: - requests coming from Called Number 1005 or 1006 are proxified to the realm plop - requests coming from the NAS 192.168.100.153 obtains a new attribute Cisco-AVPair - before sending the request to the proxy, User-Name is set to [EMAIL PROTECTED] if it was NULL (empty) - when replies are back, if an attribute Cisco-AVPair exists and contains Framed-Pool it is replaced with a weird VSA attribute invented by cisco (because AS5300 doesn't handle Framed-Pool). Now, please, don't ask me: - why the force_username occurs before proxifying and the tweak_cisco after proxifying; - if it will work with cvs or new version of freeradius; Because i don't have any idea... And if someone have comments or ideas about improving this, please feel free to share ;) -- Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html