RE: Trying to apply a simple proxy_reply law
Yess. It Works! Thanks a lot, Stefan. I've been looking for that for a long time. For all the people who are trying to implement that feature I will summarize it: * If you want to apply rules in your attributes in order to change the reply from a home RADIUS that is sending back through a proxy, that's a solution. In our case, we want to rewrite Session-Timeout attribute only if its value exceeds 3600 or if it is null. So.. - Put the post_proxy_authorize in proxy.conf to 'yes' - Filter original attributes with overcoming values changing the 'attrs' file rules and then uncommenting it (through 'attr_filter' guideline) in post-proxy stage of radiusd.conf. For example, append or update the lines at the end of the file 'attrs' (in the last DEFAULT), the following rules: Session-Timeout <= 3600, That will make RADIUS to remove all the attributes from the replies bigger than these values, so attributes will remain only if their values are like we expected to. - Finally, due to the first action, RADIUS will process for a second time the authorize stage of radiusd.conf. If the word 'files' is uncommented, RADIUS will try to match the rules in 'users' file. As we erased till now all invalid values of the attribute Session-Timeout, it only leasts to rewrite those replies in which that attribute isn't there. That's simple, change the first DEFAULT entry of 'users' file that matches your expectations and add 'Session-Timeout = 3600'. The '=' operand ( http://wiki.freeradius.org/Operators ) means "add the item to the reply list, but only if there is no other item of the same attribute" DEFAULT Auth-Type = System Session-Timeout = 3600, Fall-Through = 1 Thank you all for your help. I hope it will be useful! MARC MIRANDA PIERNAU Departameto de Ingeniería [EMAIL PROTECTED] GOWEX, THE WIRELESS EXCHANGE www.gowex.es Paseo de la Castellana, 21 Tfno.+34 91 360 14 70 Fax. + 34 91 360 14 71 28046 Madrid -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: viernes, 11 de mayo de 2007 14:38 Para: FreeRadius users mailing list Asunto: Re: Trying to apply a simple proxy_reply law Hi, how about setting post_proxy_authorize in proxy.conf and then creating rules for changing the attribute in the "users" file? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Trying to apply a simple proxy_reply law
Yess. It Works! Thanks a lot, Stefan. I've been looking for that for a long time. For all the people who are trying to implement that feature I will summarize it: * If you want to apply rules in your attributes in order to change the reply from a home RADIUS that is sending back through a proxy, that's a solution. In our case, we want to rewrite Session-Timeout attribute only if its value exceeds 3600 or if it is null. So.. - Put the post_proxy_authorize in proxy.conf to 'yes' - Filter original attributes with overcoming values changing the 'attrs' file rules and then uncommenting it (through 'attr_filter' guideline) in post-proxy stage of radiusd.conf. For example, append or update the lines at the end of the file 'attrs' (in the last DEFAULT), the following rules: Session-Timeout <= 3600, That will make RADIUS to remove all the attributes from the replies bigger than these values, so attributes will remain only if their values are like we expected to. - Finally, due to the first action, RADIUS will process for a second time the authorize stage of radiusd.conf. If the word 'files' is uncommented, RADIUS will try to match the rules in 'users' file. As we erased till now all invalid values of the attribute Session-Timeout, it only leasts to rewrite those replies in which that attribute isn't there. That's simple, change the first DEFAULT entry of 'users' file that matches your expectations and add 'Session-Timeout = 3600'. The '=' operand ( http://wiki.freeradius.org/Operators ) means "add the item to the reply list, but only if there is no other item of the same attribute" DEFAULT Auth-Type = System Session-Timeout = 3600, Fall-Through = 1 Thank you all for your help. I hope it will be useful! MARC MIRANDA PIERNAU Departameto de Ingeniería [EMAIL PROTECTED] GOWEX, THE WIRELESS EXCHANGE www.gowex.es Paseo de la Castellana, 21 Tfno.+34 91 360 14 70 Fax. + 34 91 360 14 71 28046 Madrid -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Stefan Winter Enviado el: viernes, 11 de mayo de 2007 14:38 Para: FreeRadius users mailing list Asunto: Re: Trying to apply a simple proxy_reply law Hi, how about setting post_proxy_authorize in proxy.conf and then creating rules for changing the attribute in the "users" file? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to apply a simple proxy_reply law
Hi, how about setting post_proxy_authorize in proxy.conf and then creating rules for changing the attribute in the "users" file? Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpNJ50Hiae7H.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html