RE: Combine Proxy Answer with Local Information
> I have one small issue that I need to address. For some of our clients > they don't want us to proxy requests before our LAC forwards them. > Obviosuly I can configure a default entry in the proxy config so that > any domain realm that I havent configured is matched, and specified to > be handled locally. > > The problem comes that I don't know the passwords for all of the > individual users that will come thorugh, so effectively I just need to > generate an Accept packet whenever I hit this default proxy config. Is > there someway I can do this, would I need to configure something within > the users file instead or is there something I can add within the > authorization section to allow this to work? If you know the usernames you can put something like this in users file: u...@somewhere Auth-Type := Accept Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
Hi, Thanks for the all the pointers, I have got the proxying and post proxy configuration working with your hints. I have one small issue that I need to address. For some of our clients they don't want us to proxy requests before our LAC forwards them. Obviosuly I can configure a default entry in the proxy config so that any domain realm that I havent configured is matched, and specified to be handled locally. The problem comes that I don't know the passwords for all of the individual users that will come thorugh, so effectively I just need to generate an Accept packet whenever I hit this default proxy config. Is there someway I can do this, would I need to configure something within the users file instead or is there something I can add within the authorization section to allow this to work? Any help you can give would be much appreciated. Dan Fisher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
> I have tried this with and without the > > Output looks like: > > > > WARNING: Unknown module "sql" in string expansion "%{sql: SELECT > Attribute from radreply where Username ='burst.net' and > Attribute='Tunnel-Password'}" You haven't configured (or included in radiusd.conf) sql.conf. > /etc/raddb/sites-enabled/default[562]: "SQL" modules aren't allowed in > 'post-proxy' sections -- they have no such method. OK, are you using sql for authorization of local users? If not, alter authorize_reply query in raddb/sql/mysql/dialup.conf and list sql.authorize in post-proxy section. > If anyone has any thoughts on this or whether I can obtain the same > information another way that would be much appreciated. I will be having > potentially hundreds of different relams going through this freeradius > instance and I need to add this information for each one Well, you can run sql queries from perl module (that one has post-proxy function) but that is much more expensive than running sql.authorize. sql module has persistant threads to sql server, while perl would need to establish a new connection each time. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combine Proxy Answer with Local Information
Dan Fisher | Fluidata wrote: > However I am having real problems getting the mysql part working. I have > tried using examples other people are using that work and they either > just get treated as a string or the server wont even run in debug mode. If it doesn't run in debugging mode, it prints a *descriptive* error saying why. > I don’t appear to be able to use the sql module itself as I get an error > saying its not supported in the post-proxy configuration section. Use "sql.authorize", instead of just "sql". > Where %{2} is the result of a regular expression to split a full > username so I just have the domain to use later on. > > if ( "%{sql: SELECT Attribute from radreply where username > =’%{2}’ and attribute='Tunnel-Password'}" ) { What the heck is that supposed to do? > WARNING: Unknown module "sql" in string expansion "%{sql: SELECT > Attribute from radreply where Username ='burst.net' and > Attribute='Tunnel-Password'}" So... you haven't configured the SQL module. How is it supposed to do SQL qeuries? > /etc/raddb/sites-enabled/default[562]: "SQL" modules aren't allowed in > 'post-proxy' sections -- they have no such method. Use "sql.authorize". And configure the SQL module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
Hi, >> My problem is that the response I send to our LAC has to contain extra >> information depending on the domain. Is it possible to query a local >> mysql database for this extra information (these are cisco av pairs >> needed to establish the tunnels between the LAC and LNS) >Yes. See man unlang. >> and add it into >> the Access-Accept message that is returned to the LAC from the radius? >Use unlang in post-proxy. >Ivan Kalik Thanks for the guidance ivan, its given me a good starting point. I have managed to get new information into my accept requests by hard coding update reply sections in the unlang code (example below) : update reply { Tunnel-Client-Auth-ID = "fluidata" } However I am having real problems getting the mysql part working. I have tried using examples other people are using that work and they either just get treated as a string or the server wont even run in debug mode. I don't appear to be able to use the sql module itself as I get an error saying its not supported in the post-proxy configuration section. Can anyone suggest where I might be going wrong with this? Inside the post-proxy section I have: Where %{2} is the result of a regular expression to split a full username so I just have the domain to use later on. if ( "%{sql: SELECT Attribute from radreply where username ='%{2}' and attribute='Tunnel-Password'}" ) { ok } I have tried this with and without the Output looks like: WARNING: Unknown module "sql" in string expansion "%{sql: SELECT Attribute from radreply where Username ='burst.net' and Attribute='Tunnel-Password'}" expand: %{sql: SELECT Attribute from radreply where Username ='burst.net' and Attribute='Tunnel-Password'} -> ? Evaluating ("%{sql: SELECT Attribute from radreply where Username ='burst.net' and Attribute='Tunnel-Password'}" ) -> FALSE ++? if ("%{sql: SELECT Attribute from radreply where Username ='burst.net' and Attribute='Tunnel-Password'}" ) -> FALSE /etc/raddb/sites-enabled/default[562]: "SQL" modules aren't allowed in 'post-proxy' sections -- they have no such method. /etc/raddb/sites-enabled/default[512]: Errors parsing post-proxy section. If anyone has any thoughts on this or whether I can obtain the same information another way that would be much appreciated. I will be having potentially hundreds of different relams going through this freeradius instance and I need to add this information for each one Dan Fisher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combine Proxy Answer with Local Information
> My problem is that the response I send to our LAC has to contain extra > information depending on the domain. Is it possible to query a local > mysql database for this extra information (these are cisco av pairs > needed to establish the tunnels between the LAC and LNS) Yes. See man unlang. > and add it into > the Access-Accept message that is returned to the LAC from the radius? Use unlang in post-proxy. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html