RE: Trying to apply a simple proxy_reply law
Yess. It Works! Thanks a lot, Stefan. I've been looking for that for a long time. For all the people who are trying to implement that feature I will summarize it: * If you want to apply rules in your attributes in order to change the reply from a home RADIUS that is sending back through a proxy, that's a solution. In our case, we want to rewrite Session-Timeout attribute only if its value exceeds 3600 or if it is null. So.. - Put the post_proxy_authorize in proxy.conf to 'yes' - Filter original attributes with overcoming values changing the 'attrs' file rules and then uncommenting it (through 'attr_filter' guideline) in post-proxy stage of radiusd.conf. For example, append or update the lines at the end of the file 'attrs' (in the last DEFAULT), the following rules: Session-Timeout = 3600, That will make RADIUS to remove all the attributes from the replies bigger than these values, so attributes will remain only if their values are like we expected to. - Finally, due to the first action, RADIUS will process for a second time the authorize stage of radiusd.conf. If the word 'files' is uncommented, RADIUS will try to match the rules in 'users' file. As we erased till now all invalid values of the attribute Session-Timeout, it only leasts to rewrite those replies in which that attribute isn't there. That's simple, change the first DEFAULT entry of 'users' file that matches your expectations and add 'Session-Timeout = 3600'. The '=' operand ( http://wiki.freeradius.org/Operators ) means add the item to the reply list, but only if there is no other item of the same attribute DEFAULT Auth-Type = System Session-Timeout = 3600, Fall-Through = 1 Thank you all for your help. I hope it will be useful! MARC MIRANDA PIERNAU Departameto de Ingeniería [EMAIL PROTECTED] GOWEX, THE WIRELESS EXCHANGE www.gowex.es Paseo de la Castellana, 21 Tfno.+34 91 360 14 70 Fax. + 34 91 360 14 71 28046 Madrid -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: viernes, 11 de mayo de 2007 14:38 Para: FreeRadius users mailing list Asunto: Re: Trying to apply a simple proxy_reply law Hi, how about setting post_proxy_authorize in proxy.conf and then creating rules for changing the attribute in the users file? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Trying to apply a simple proxy_reply law
Yess. It Works! Thanks a lot, Stefan. I've been looking for that for a long time. For all the people who are trying to implement that feature I will summarize it: * If you want to apply rules in your attributes in order to change the reply from a home RADIUS that is sending back through a proxy, that's a solution. In our case, we want to rewrite Session-Timeout attribute only if its value exceeds 3600 or if it is null. So.. - Put the post_proxy_authorize in proxy.conf to 'yes' - Filter original attributes with overcoming values changing the 'attrs' file rules and then uncommenting it (through 'attr_filter' guideline) in post-proxy stage of radiusd.conf. For example, append or update the lines at the end of the file 'attrs' (in the last DEFAULT), the following rules: Session-Timeout = 3600, That will make RADIUS to remove all the attributes from the replies bigger than these values, so attributes will remain only if their values are like we expected to. - Finally, due to the first action, RADIUS will process for a second time the authorize stage of radiusd.conf. If the word 'files' is uncommented, RADIUS will try to match the rules in 'users' file. As we erased till now all invalid values of the attribute Session-Timeout, it only leasts to rewrite those replies in which that attribute isn't there. That's simple, change the first DEFAULT entry of 'users' file that matches your expectations and add 'Session-Timeout = 3600'. The '=' operand ( http://wiki.freeradius.org/Operators ) means add the item to the reply list, but only if there is no other item of the same attribute DEFAULT Auth-Type = System Session-Timeout = 3600, Fall-Through = 1 Thank you all for your help. I hope it will be useful! MARC MIRANDA PIERNAU Departameto de Ingeniería [EMAIL PROTECTED] GOWEX, THE WIRELESS EXCHANGE www.gowex.es Paseo de la Castellana, 21 Tfno.+34 91 360 14 70 Fax. + 34 91 360 14 71 28046 Madrid -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: viernes, 11 de mayo de 2007 14:38 Para: FreeRadius users mailing list Asunto: Re: Trying to apply a simple proxy_reply law Hi, how about setting post_proxy_authorize in proxy.conf and then creating rules for changing the attribute in the users file? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: One day user account
Take a look at rlm_counter/rlm_sqlcounter (I don't know if it's exactly what you are looking for) or if you don't want to complicate, just work with a database logic and change the radius auth queries depending on certain timestamps and NOW(), for example, in the case of MySQL, in sql.conf. I'm not a guru, but it can be useful for starting looking for some of the options. _ De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Aren Chua Enviado el: viernes, 11 de mayo de 2007 12:35 Para: freeradius-users@lists.freeradius.org Asunto: One day user account Hi All, I would like to create a user account which only allow user to use for 1 day. Once the user has been authenticated, the time will be start counting and ended after 24 hours. Although the user didn't fully used up their session time, radius still will reject user to login. Can any expert give me some suggestion on how to create this user account? Thanks Regards, Aren Chua _ Download Messenger. Start an i'm conversation. Support a cause. Join Now! http://im.live.com/messenger/im/home/?source=TAGWL_MAY07 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html