On Sun, Jan 02, 2005 at 10:51:11PM +0100, Nicolas Baradakis wrote:
> Pasi K�rkk�inen wrote:
>
> > I need to add Post-Proxy-Type based on realm of the proxied
> > request.
> >
> > I can't figure out how to express this with the sql tables:
> > "DEFAULT Realm == "foo.net", Post-Proxy-Type := post.proxy.foo"
> >
> > There's no Realm field in the sql..
>
> I don't understand why you absolutely want to manage the settings for
> the realm in a SQL database. (although it is possible) The home server
> does SQL requests because it authenticates the users and stores
> accounting tickets, but the proxy usually doesn't do SQL at all.
>
Sorry for a long delay in the answer.
In this case the radius server was acting as both proxy and home server..
for different realms.
> Unless you have many realms and they often change and you can't afford
> to add/remove a realm from your configuration without restarting
> radiusd, your proxy doesn't need to do SQL requests. Moreover,
> querying the SQL server for each request costs a big performance
> penalty, therefore you should put the Post-Proxy-Type in the users
> file unless you have good reasons.
>
> If you really want to add the Post-Proxy-Type attribute from a
> database, below is the main idea of how to do this. (I didn't test
> it and perhaps you'll need some minor changes)
>
> You change "UserName" by "Realm" in the SQL schema.
>
> CREATE TABLE radcheck (
> id int(11) unsigned NOT NULL auto_increment,
> Realm varchar(64) NOT NULL default '',
> Attribute varchar(32) NOT NULL default '',
> op char(2) NOT NULL DEFAULT '==',
> Value varchar(253) NOT NULL default '',
> PRIMARY KEY (id),
> KEY UserName (UserName(32))
> ) ;
>
> Then you insert the Post-Proxy-Type definition in the radcheck table:
>
> INSERT INTO radcheck (Realm,Attribute,op,Value) VALUES ('foo.net',
> 'Post-Proxy-Type', '=', 'post.proxy.foo');
> INSERT INTO radcheck (Realm,Attribute,op,Value) VALUES ('bar.com',
> 'Post-Proxy-Type', '=', 'post.proxy.bar');
>
> Finally you write the adequate query in sql.conf. (and comment other
> auth queries)
>
> authorize_check_query = "SELECT id,Realm,Attribute,Value,op FROM radcheck
> WHERE Realm = '%{Realm}'"
>
That was not possible because I needed the username fields in SQL..
> > Could I use rlm_attr_filter to add Post-Proxy-Type? rlm_attr_filter is
> > processed for the proxy replies and you can match realms there.. so it
> > seems like a right place to do this.. I'll try this and see what happens.
>
> You can't add a check item with this module, so there is no way you
> can set Post-Proxy-Type there. However, perhaps you can try to add the
> Pool-Name attribute in the attrsfile:
>
> foo.net
> Pool-Name := "foo_ippool",
> Fall-Through = Yes
>
> bar.com
> Pool-Name := "bar_ippool",
> Fall-Through = Yes
>
> DEFAULT
> Put here all other attributes you need otherwise they'll
> be removed from the packet
>
This doesn't work..
/attrs]:84 WARNING! Check item "Pool-Name" ?found in filter list for realm
"foo.com"
And ip-pool-module later complains that it cannot find Pool-Name in the request.
> This is an alternate approach. It may work, too. And finally you will
> get not one, but two solutions to setup you FreeRADIUS proxy !
>
Unfortunately either of them do work :(
I'm going to install proxy and home servers on different machines (or at
least on different freeradius server instances) to try to make this work..
Thanks!
-- Pasi K�rkk�inen
^
. .
Linux
/ - \
Choice.of.the
.Next.Generation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
