Re: attr_rewrite conditional?

[Christophe Boyanique]

On Thu, Mar 13, 2003 at 11:54:22AM -0500, freeradius mailing list wrote:

> Now, what I want to do is make it change the realm that is added based on
> an attribute that comes in.  So maybe something like.

I have a solution but it is not very clean and i only tested it with
freeradius 0.8.1 so i'm looking forward to hear about other solutions.

1st the users file:

----- cut -----
DEFAULT Called-Station-Id == 1005, Proxy-To-Realm := plop
        Realm = plop,
        Fall-Through = Yes

DEFAULT Called-Station-Id == 1006, Proxy-To-Realm := plop
        Realm = plop,
        Fall-Through = Yes

DEFAULT NAS-IP-Address == 192.168.100.153
        Cisco-AVPair = Framed-Pool,
        Fall-Through = Yes
----- cut -----

Please note that Realm will not be fixed in the proxified packet there,
it is only usefull for internal use (see below).



Then the acct_users file: (pretty the same)

----- cut -----
DEFAULT Called-Station-Id == 1005, Proxy-To-Realm := plop
        Realm = plop,
        Fall-Through = Yes

DEFAULT Called-Station-Id == 1006, Proxy-To-Realm := plop
        Realm = plop,
        Fall-Through = Yes
----- cut -----



And the radiusd.conf file:

----- cut -----
... snipped ...
modules {
        
        attr_rewrite force_username {
                attribute = User-Name
                searchin = packet
                searchfor = NULL
                replacewith = "[EMAIL PROTECTED]:Realm}"
                append = no 
                new_attribute = no
                max_matches = 1 
        }       
        
        attr_rewrite tweak_cisco {
                attribute = Cisco-AVPair
                searchin = reply
                searchfor = "Framed-Pool"
                replacewith = "ip:addr-pool=%{reply:Framed-Pool}"
                append = no 
                new_attribute = no
                max_matches = 1 
        }       
... snipped ...
}


instantiate {
}

pre_proxy {
}

post_proxy {
}

authorize {
        suffix
        files
        force_username
        tweak_cisco
}
authenticate {
}

preacct {
        suffix
        files
        force_username
}

accounting {
}
----- cut -----


With this configuration here is what happens:

- requests coming from Called Number 1005 or 1006 are proxified to the
  realm plop

- requests coming from the NAS 192.168.100.153 obtains a new attribute
  Cisco-AVPair

- before sending the request to the proxy, User-Name is set to
  [EMAIL PROTECTED] if it was NULL (empty)

- when replies are back, if an attribute Cisco-AVPair exists and
  contains Framed-Pool it is replaced with a weird VSA attribute
  invented by cisco (because AS5300 doesn't handle Framed-Pool).

Now, please, don't ask me:
- why the force_username occurs before proxifying and the tweak_cisco
  after proxifying;
- if it will work with cvs or new version of freeradius;
Because i don't have any idea...

And if someone have comments or ideas about improving this, please feel
free to share ;)

-- 
Christophe.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html