At Mon, 14 Jun 2004 14:09:45 -0400,
Alan DeKok wrote:
Kostas Zorbadelos [EMAIL PROTECTED] wrote:
I would like to know if and how it is possible to modify an accounting
and an authentication request
packet that is going to be proxied to a specific realm.
Ues. Use the preproxy section.
Alan DeKok.
Hello again. Now that I have a working configuration that solves my
problem, I post it to the list for archiving purposes and also a few
clarifications.
I am using version 0.9.3 but I plan to test everything with 1.0.0 pre2
also.
Description of the problem
---
I wanted for every username of the form [EMAIL PROTECTED] to add 3 wispr
attributes (Location-Id, LocationName and LogoffUrl) to the access request
packets and 2 attributes (Location-Id, Location-Name) to the
accounting packets before they get proxied to the home radius.
I used the attr_rewrite module with the following config in
radiusd.conf:
attr_rewrite addLocationId {
attribute = WISPr-Location-ID
# may be packet, reply, or config
searchin = packet
searchfor = [+ ]
replacewith = isocc=gr,cc=30,ac=21,network=otenet
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLocationName {
attribute = WISPr-Location-Name
# may be packet, reply, or config
searchin = packet
searchfor =
replacewith = OTENET,hotspot
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
attr_rewrite addLogoffUrl {
attribute = WISPr-Logoff-URL
# may be packet, reply, or config
searchin = packet
searchfor =
replacewith =
https://192.168.3.3:8443/accountLogoff/home?confirmed=true;
ignore_case = no
new_attribute = yes
max_matches = 10
## If set to yes then the replace string will be appended to the
original string
append = yes
}
1) The pre-proxy section
-
The pre-proxy section in radiusd.conf wasn't what I wanted because the
modifications would happen before the proxy of every packet and not
just packets destined to the specific realm testrealm. After the test
however I noticed that the packets were not modified at all (is this a
bug that is fixed in 1.0.0?)
My configuration
pre-proxy {
addLocationId
addLocationName
addLogoffUrl
}
and the relevant part of the debugging output
rad_recv: Access-Request packet from host 212.205.85.239:4422, id=214, length=103
Acct-Session-Id = 01C3
User-Name = [EMAIL PROTECTED]
User-Password = usera
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
modcall: entering group authorize for request 0
...
rlm_realm: Preparing to proxy authentication request to realm testrealm
...
modcall: entering group pre-proxy for request 0
radius_xlat: 'isocc=gr,cc=30,ac=21,network=otenet'
rlm_attr_rewrite: Added attribute WISPr-Location-ID with value
'isocc=gr,cc=30,ac=21,network=otenet'
modcall[pre-proxy]: module addLocationId returns ok for request 0
radius_xlat: 'OTENET,hotspot'
rlm_attr_rewrite: Added attribute WISPr-Location-Name with value 'OTENET,hotspot'
modcall[pre-proxy]: module addLocationName returns ok for request 0
radius_xlat: 'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
rlm_attr_rewrite: Added attribute WISPr-Logoff-URL with value
'https://192.168.3.3:8443/accountLogoff/home?confirmed=true'
modcall[pre-proxy]: module addLogoffUrl returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 1 to 212.205.178.120:1812
User-Name = usera
Acct-Session-Id = 01C3
User-Password = usera
NAS-IP-Address = 212.205.178.115
NAS-Port = 0
NAS-Port-Type = Virtual
Proxy-State = 0x6f70656e65745f776c616e
Proxy-State = 0x323134
...
As you can see the packet was not modified. The same thing happened
for accounting packets also.
2) The solution with autz-type and acct-type
-
Here is the relevant parts from the working config:
authorize {
preprocess
chap
realmslash
suffix
#
# Read the 'users' file
files
Autz-Type WLANRoaming{
addLocationId
addLocationName