Re: Modify packet proxied to a specific realm [Solved in 2 ways]
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > Since the atrr_rewrite module and the preproxy_users are said to be > 'experimental' which one would you recommend for use in a production > environment? Is any of this going to go away in 1.0.0 or the future? I would recommend preproxy_users, simply because it's easier to configure. The only reason that both are marked "experimental" is that they weren't heavily tested. They're probably OK now (~8 months or more after they were written.) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved in 2 ways]
At Tue, 15 Jun 2004 11:55:00 -0400, Alan DeKok wrote: > > Please don't CC me on messages. I already read the list, and I > don't need to see the same message twice. > Sorry Alan (replied to all by accident) > > I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr > > attributes (Location-Id, LocationName and LogoffUrl) to the access request > > packets and 2 attributes (Location-Id, Location-Name) to the > > accounting packets before they get proxied to the home radius. > > In preproxy_users, you should be able to do: > > #--- > DEFAULT User-Name =~ "@testrealm$", Packet-Type == Access-Request > Wispr-Location-Id = "foo", > Wispr-LocationName = "bar", > ... > After adding the files module in pre-proxy section, worked like a charm. Wonderful and elegant configuration (much better from the one I came up with). Since the atrr_rewrite module and the preproxy_users are said to be 'experimental' which one would you recommend for use in a production environment? Is any of this going to go away in 1.0.0 or the future? Thanks for everything. -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved with a few questions]
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: ... Please don't CC me on messages. I already read the list, and I don't need to see the same message twice. > I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr > attributes (Location-Id, LocationName and LogoffUrl) to the access request > packets and 2 attributes (Location-Id, Location-Name) to the > accounting packets before they get proxied to the home radius. In preproxy_users, you should be able to do: #--- DEFAULT User-Name =~ "@testrealm$", Packet-Type == Access-Request Wispr-Location-Id = "foo", Wispr-LocationName = "bar", ... DEFAULT User-Name =~ "@testrealm$", Packet-Type == Accounting-Request Wispr-Location-Id = "foo", ... #--- > The pre-proxy section in radiusd.conf wasn't what I wanted because the > modifications would happen before the proxy of every packet and not > just packets destined to the specific realm testrealm. So check for certain conditions, just like in the "users" file. > After the test however I noticed that the packets were not modified > at all (is this a bug that is fixed in 1.0.0?) It should be. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm [Solved with a few questions]
At Mon, 14 Jun 2004 14:09:45 -0400,
Alan DeKok wrote:
>
> Kostas Zorbadelos <[EMAIL PROTECTED]> wrote:
> > I would like to know if and how it is possible to modify an accounting
> > and an authentication request
> > packet that is going to be proxied to a specific realm.
>
> Ues. Use the "preproxy" section.
>
> Alan DeKok.
>
Hello again. Now that I have a working configuration that solves my
problem, I post it to the list for archiving purposes and also a few
clarifications.
I am using version 0.9.3 but I plan to test everything with 1.0.0 pre2
also.
Description of the problem
---
I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr
attributes (Location-Id, LocationName and LogoffUrl) to the access request
packets and 2 attributes (Location-Id, Location-Name) to the
accounting packets before they get proxied to the home radius.
I used the attr_rewrite module with the following config in
radiusd.conf:
attr_rewrite addLocationId {
attribute = WISPr-Location-ID
# may be "packet", "reply", or "config"
searchin = packet
searchfor = "[+ ]"
replacewith = "isocc=gr,cc=30,ac=21,network=otenet"
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLocationName {
attribute = WISPr-Location-Name
# may be "packet", "reply", or "config"
searchin = packet
searchfor = ""
replacewith = "OTENET,hotspot"
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLogoffUrl {
attribute = WISPr-Logoff-URL
# may be "packet", "reply", or "config"
searchin = packet
searchfor = ""
replacewith =
"https://192.168.3.3:8443/accountLogoff/home?confirmed=true";
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
1) The pre-proxy section
-
The pre-proxy section in radiusd.conf wasn't what I wanted because the
modifications would happen before the proxy of every packet and not
just packets destined to the specific realm testrealm. After the test
however I noticed that the packets were not modified at all (is this a
bug that is fixed in 1.0.0?)
My configuration
pre-proxy {
addLocationId
addLocationName
addLogoffUrl
}
and the relevant part of the debugging output
rad_recv: Access-Request packet from host 212.205.85.239:4422, id=214, length=103
Acct-Session-Id = "01C3"
User-Name = "[EMAIL PROTECTED]"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group authorize for request 0
...
rlm_realm: Preparing to proxy authentication request to realm "testrealm"
...
modcall: entering group pre-proxy for request 0
radius_xlat: 'isocc=gr,cc=30,ac=21,network=otenet'
rlm_attr_rewrite: Added attribute WISPr-Location-ID with value
'isocc=gr,cc=30,ac=21,network=otenet'
modcall[pre-proxy]: module "addLocationId" returns ok for request 0
radius_xlat: 'OTENET,hotspot'
rlm_attr_rewrite: Added attribute WISPr-Location-Name with value 'OTENET,hotspot'
modcall[pre-proxy]: module "addLocationName" returns ok for request 0
radius_xlat: 'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
rlm_attr_rewrite: Added attribute WISPr-Logoff-URL with value
'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
modcall[pre-proxy]: module "addLogoffUrl" returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 1 to 212.205.178.120:1812
User-Name = "usera"
Acct-Session-Id = "01C3"
User-Password = "usera"
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
Proxy-State = 0x323134
...
As you can see the packet was not modified. The same thing happened
for accounting packets also.
2) The solution with autz-type and acct-type
-
Here is the relevant parts from the working config:
authorize {
preprocess
chap
realmslash
suffix
#
# Read the 'users' file
files
Autz-Type WLANRoaming{
Re: Modify packet proxied to a specific realm
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > Thanks Alan, I thought I would. But which module should I use? raddb/preproxy_users It should be obvious from there. Alan DeKok/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm
At Mon, 14 Jun 2004 14:09:45 -0400, Alan DeKok wrote: > > Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > > I would like to know if and how it is possible to modify an accounting > > and an authentication request > > packet that is going to be proxied to a specific realm. > > Ues. Use the "preproxy" section. > > Alan DeKok. > Thanks Alan, I thought I would. But which module should I use? And how can I add the attribute(s) I want for a specific realm only? I think I will focus on the attr_rewrite module but unfortunately it is not very clear how I can achieve what I want from the sample configuration in radiusd.conf. Any other ideas are welcome. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet proxied to a specific realm
Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > I would like to know if and how it is possible to modify an accounting > and an authentication request > packet that is going to be proxied to a specific realm. Ues. Use the "preproxy" section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Modify packet proxied to a specific realm
Hello to everyone. I would like to know if and how it is possible to modify an accounting and an authentication request packet that is going to be proxied to a specific realm. What I want is to add a specific attribute with a specific value to every accounting and authentication request packet that is going to be proxied at realm X before it gets proxied. I would appreciate any suggestions. Thanks in advance Kostas -- Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
