Thanks for the ideas, I'll give them a try.
-Dustin Doris
On Mon, 17 Mar 2003, Christophe Boyanique wrote:
> On Thu, Mar 13, 2003 at 11:54:22AM -0500, freeradius mailing list wrote:
>
> > Now, what I want to do is make it change the realm that is added based on
> > an attribute that comes in. So maybe something like.
>
> I have a solution but it is not very clean and i only tested it with
> freeradius 0.8.1 so i'm looking forward to hear about other solutions.
>
> 1st the users file:
>
> ----- cut -----
> DEFAULT Called-Station-Id == 1005, Proxy-To-Realm := plop
> Realm = plop,
> Fall-Through = Yes
>
> DEFAULT Called-Station-Id == 1006, Proxy-To-Realm := plop
> Realm = plop,
> Fall-Through = Yes
>
> DEFAULT NAS-IP-Address == 192.168.100.153
> Cisco-AVPair = Framed-Pool,
> Fall-Through = Yes
> ----- cut -----
>
> Please note that Realm will not be fixed in the proxified packet there,
> it is only usefull for internal use (see below).
>
>
>
> Then the acct_users file: (pretty the same)
>
> ----- cut -----
> DEFAULT Called-Station-Id == 1005, Proxy-To-Realm := plop
> Realm = plop,
> Fall-Through = Yes
>
> DEFAULT Called-Station-Id == 1006, Proxy-To-Realm := plop
> Realm = plop,
> Fall-Through = Yes
> ----- cut -----
>
>
>
> And the radiusd.conf file:
>
> ----- cut -----
> ... snipped ...
> modules {
>
> attr_rewrite force_username {
> attribute = User-Name
> searchin = packet
> searchfor = NULL
> replacewith = "[EMAIL PROTECTED]:Realm}"
> append = no
> new_attribute = no
> max_matches = 1
> }
>
> attr_rewrite tweak_cisco {
> attribute = Cisco-AVPair
> searchin = reply
> searchfor = "Framed-Pool"
> replacewith = "ip:addr-pool=%{reply:Framed-Pool}"
> append = no
> new_attribute = no
> max_matches = 1
> }
> ... snipped ...
> }
>
>
> instantiate {
> }
>
> pre_proxy {
> }
>
> post_proxy {
> }
>
> authorize {
> suffix
> files
> force_username
> tweak_cisco
> }
> authenticate {
> }
>
> preacct {
> suffix
> files
> force_username
> }
>
> accounting {
> }
> ----- cut -----
>
>
> With this configuration here is what happens:
>
> - requests coming from Called Number 1005 or 1006 are proxified to the
> realm plop
>
> - requests coming from the NAS 192.168.100.153 obtains a new attribute
> Cisco-AVPair
>
> - before sending the request to the proxy, User-Name is set to
> [EMAIL PROTECTED] if it was NULL (empty)
>
> - when replies are back, if an attribute Cisco-AVPair exists and
> contains Framed-Pool it is replaced with a weird VSA attribute
> invented by cisco (because AS5300 doesn't handle Framed-Pool).
>
> Now, please, don't ask me:
> - why the force_username occurs before proxifying and the tweak_cisco
> after proxifying;
> - if it will work with cvs or new version of freeradius;
> Because i don't have any idea...
>
> And if someone have comments or ideas about improving this, please feel
> free to share ;)
>
> --
> Christophe.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
