RE: Combine Proxy Answer with Local Information
> I have one small issue that I need to address. For some of our clients > they don't want us to proxy requests before our LAC forwards them. > Obviosuly I can configure a default entry in the proxy config so that > any domain realm that I havent configured is matched, and specified to > be handled locally. > > The problem comes that I don't know the passwords for all of the > individual users that will come thorugh, so effectively I just need to > generate an Accept packet whenever I hit this default proxy config. Is > there someway I can do this, would I need to configure something within > the users file instead or is there something I can add within the > authorization section to allow this to work? If you know the usernames you can put something like this in users file: u...@somewhere Auth-Type := Accept Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
Hi, Thanks for the all the pointers, I have got the proxying and post proxy configuration working with your hints. I have one small issue that I need to address. For some of our clients they don't want us to proxy requests before our LAC forwards them. Obviosuly I can configure a default entry in the proxy config so that any domain realm that I havent configured is matched, and specified to be handled locally. The problem comes that I don't know the passwords for all of the individual users that will come thorugh, so effectively I just need to generate an Accept packet whenever I hit this default proxy config. Is there someway I can do this, would I need to configure something within the users file instead or is there something I can add within the authorization section to allow this to work? Any help you can give would be much appreciated. Dan Fisher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
> I have tried this with and without the
>
> Output looks like:
>
>
>
> WARNING: Unknown module "sql" in string expansion "%{sql: SELECT
> Attribute from radreply where Username ='burst.net' and
> Attribute='Tunnel-Password'}"
You haven't configured (or included in radiusd.conf) sql.conf.
> /etc/raddb/sites-enabled/default[562]: "SQL" modules aren't allowed in
> 'post-proxy' sections -- they have no such method.
OK, are you using sql for authorization of local users? If not, alter
authorize_reply query in raddb/sql/mysql/dialup.conf and list
sql.authorize in post-proxy section.
> If anyone has any thoughts on this or whether I can obtain the same
> information another way that would be much appreciated. I will be having
> potentially hundreds of different relams going through this freeradius
> instance and I need to add this information for each one
Well, you can run sql queries from perl module (that one has post-proxy
function) but that is much more expensive than running sql.authorize. sql
module has persistant threads to sql server, while perl would need to
establish a new connection each time.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combine Proxy Answer with Local Information
Dan Fisher | Fluidata wrote:
> However I am having real problems getting the mysql part working. I have
> tried using examples other people are using that work and they either
> just get treated as a string or the server wont even run in debug mode.
If it doesn't run in debugging mode, it prints a *descriptive* error
saying why.
> I don’t appear to be able to use the sql module itself as I get an error
> saying its not supported in the post-proxy configuration section.
Use "sql.authorize", instead of just "sql".
> Where %{2} is the result of a regular expression to split a full
> username so I just have the domain to use later on.
>
> if ( "%{sql: SELECT Attribute from radreply where username
> =’%{2}’ and attribute='Tunnel-Password'}" ) {
What the heck is that supposed to do?
> WARNING: Unknown module "sql" in string expansion "%{sql: SELECT
> Attribute from radreply where Username ='burst.net' and
> Attribute='Tunnel-Password'}"
So... you haven't configured the SQL module. How is it supposed to do
SQL qeuries?
> /etc/raddb/sites-enabled/default[562]: "SQL" modules aren't allowed in
> 'post-proxy' sections -- they have no such method.
Use "sql.authorize".
And configure the SQL module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Combine Proxy Answer with Local Information
Hi,
>> My problem is that the response I send to our LAC has to contain
extra
>> information depending on the domain. Is it possible to query a local
>> mysql database for this extra information (these are cisco av pairs
>> needed to establish the tunnels between the LAC and LNS)
>Yes. See man unlang.
>> and add it into
>> the Access-Accept message that is returned to the LAC from the
radius?
>Use unlang in post-proxy.
>Ivan Kalik
Thanks for the guidance ivan, its given me a good starting point. I have
managed to get new information into my accept requests by hard coding
update reply sections in the unlang code (example below) :
update reply {
Tunnel-Client-Auth-ID = "fluidata"
}
However I am having real problems getting the mysql part working. I have
tried using examples other people are using that work and they either
just get treated as a string or the server wont even run in debug mode.
I don't appear to be able to use the sql module itself as I get an error
saying its not supported in the post-proxy configuration section. Can
anyone suggest where I might be going wrong with this? Inside the
post-proxy section I have:
Where %{2} is the result of a regular expression to split a full
username so I just have the domain to use later on.
if ( "%{sql: SELECT Attribute from radreply where username
='%{2}' and attribute='Tunnel-Password'}" ) {
ok
}
I have tried this with and without the
Output looks like:
WARNING: Unknown module "sql" in string expansion "%{sql: SELECT
Attribute from radreply where Username ='burst.net' and
Attribute='Tunnel-Password'}"
expand: %{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'} ->
? Evaluating ("%{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'}" ) -> FALSE
++? if ("%{sql: SELECT Attribute from radreply where Username
='burst.net' and Attribute='Tunnel-Password'}" ) -> FALSE
/etc/raddb/sites-enabled/default[562]: "SQL" modules aren't allowed in
'post-proxy' sections -- they have no such method.
/etc/raddb/sites-enabled/default[512]: Errors parsing post-proxy
section.
If anyone has any thoughts on this or whether I can obtain the same
information another way that would be much appreciated. I will be having
potentially hundreds of different relams going through this freeradius
instance and I need to add this information for each one
Dan Fisher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Combine Proxy Answer with Local Information
> My problem is that the response I send to our LAC has to contain extra > information depending on the domain. Is it possible to query a local > mysql database for this extra information (these are cisco av pairs > needed to establish the tunnels between the LAC and LNS) Yes. See man unlang. > and add it into > the Access-Accept message that is returned to the LAC from the radius? Use unlang in post-proxy. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
