Hi Alan, My comments inline (sorry for the long email),
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Monday, May 03, 2004 21:09 > To: [EMAIL PROTECTED] > Subject: Re: Looping prevention end duplicate accounting > > > "Luis Guido" <[EMAIL PROTECTED]> wrote: > > Right.... You are saying that's virtual impossible to > handle all at the > > Proxy level. I'm trying to replicate one scenario that I have with > > Radiator, and I guess (just a thought) it would be nice to > have it also > > on FreeRadius. > > Ok... > > > This away I no longer depend on the client config to > prevent some loop. > > If a request arrives me from client1, the client1's handler can't be > > used to forward the request to. The request will be handle somewhere > > else (ignored or droped. > > If the server can keep track from what client send the > request, it can > > be use for proxy decisions. > > You can do this in FreeRADIUS, too, in the "users" file: > > #--- > DEFAULT Realm == "client1_realm", Client-IP-Address > != 1.2.3.4, Auth-Type := Reject > > #--- Thanks for the tip! I'm going to try but this will work only for leaf servers and not for proxy servers (that's what I was trying to implement). That's a start and I'm sure it will work for a bad configured Proxy Server. Unfortunately the scenario I'm talking will have probably hundreds of "leaf" servers (servers that actually authorize users based on one or several realms connected to some DB) that proxy the other requests to a Proxy Server. This one will only do some sort of application routing. It will not authorize any users. The Proxy Server only know who authorize some realms, and forward all requests to the next server (could be another Proxy Server or some "Leaf Server") if it knows who handles that Realm, or forward it to the upper Proxy Server, and so on.... The loops that I was trying to prevent are at the Proxy Server level. But I guess this is not possible yet right? :( There's the rest of the config portion of the Proxy Server (for RADIATOR) for some Proxy that knows who authenticates users for Realm1 and Realm2 and the "generic" handler for proxy the unknown realm's. The request is “stamped” on the way in with the Identifier value for the Client-Identifier variable that can be tested latter. On a Freeradius config it would be somewhere on the proxy.conf at the Realm entry, I guess.... ---- RADIATOR CONFIG BEGIN ---- # Server that knows realm1.com <Client 1.2.3.4> Secret secret1 Identifier REALM1.COM </Client> # Server that knows realm2.com <Client 4.3.2.1> Secret secret2 Identifier REALM2.COM </Client> # Top Proxy Server (to forward everything that we do not know where to send) <Client 11.22.33.44> Secret secret3 Identifier TOPPROXY </Client> # To forward all requests for users @realm1.com <Handler Realm = realm1.com,Client-Identifier=/^(?!REALM1.COM$)/> <AuthBy RADIUS> Host 1.2.3.4 Secret secret1 AuthPort 1812 AcctPort 1813 </AuthBy> </Handler> # To forward all requests for users @realm1.com <Handler Realm = realm2.com,Client-Identifier=/^(?!REALM2.COM$)/> <AuthBy RADIUS> Host 4.3.2.1 Secret secret2 AuthPort 1812 AcctPort 1813 </AuthBy> </Handler> # Everything else (that has some realm) will be forward to the TOP SERVER <Handler Realm = /^.+$/,Client-Identifier=/^(?!TOPPROXY$)/> <AuthBy RADIUS> Host 11.22.33.44 Secret secret3 AuthPort 1812 AcctPort 1813 </AuthBy> </Handler> ---- RADIATOR CONFIG END ---- Thanks. Luís Guido > e.g. Requests for that realm, NOT from the client, are rejected. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
