Re: preproxy for calledstationid to realm
On Mon, 9 Feb 2004, Alan DeKok wrote: That last sentence makes no sense to me. Yeah, well it was late, and I think that since you hadn't seen the original post and ensuing exchange, whatever else I might have written wouldn't have made any sense, either. The users file is what the files module processes in the authorize stage. Of course. The preproxy_users mfile is what the files module processes in the preproxy stage. Of course. I don't understand why you would confuse or mix up those concepts. I didn't. I asked for clarification and got an affirmative response. Any typing mistakes made after that point were due to me, and I apologize for any confusion. Putting the entry in the users file accomplished what we're trying to do, except that Called-Station-ID =~ *1234 didn't work Of course not. ...Due to the typos, which I overlooked until I got some sleep. And for future archive searchers, the line in the users files that works is (note case and regexp): DEFAULT Called-Station-Id =~ .*1234, Proxy-To-Realm := realm Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
On Sun, 8 Feb 2004, Michael Griego wrote: On Sun, 2004-02-08 at 19:09, Jim wrote: Is '*' a valid wild card regexp? Umm... man 7 regex? ummm...maybe on your system. [ radius1 - uname -a FreeBSD 4.8-RC1 FreeBSD 4.8-RC1 #0: Mon Mar 3 01:01:33 GMT 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 [ Tue Feb 10 11:39:46 ] [ radius1 - man 7 regex No entry for regex in section 7 of the manual No, a * by itself is not a valid regex... try .* in its place. typo on my part - sorry for any confusion. Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
On Sat, 7 Feb 2004, Alan DeKok wrote: im [EMAIL PROTECTED] wrote: preproxy_users file: DEFAULT Called-Station-ID =~ *1234, Proxy-To-Realm := realmname What do you expect this to do? Perhaps you missed the previous exchange. I can recap, if necessary. The purpose of the preproxy_users file is to massage a request AFTER you have decided to proxy it, and BEFORE it is sent to the proxy. Ok, that helps. If you're trying to set Proxy-to-Realm in that file, and expecting the request to be proxued, it won't work. You have to decide to proxy requests during the authorize stage, which means the users file. Which is why I had the preproxy_users file in the 'files' module in the authorize stage as I originally had asked. Putting the entry in the users file accomplished what we're trying to do, except that Called-Station-ID =~ *1234 didn't work until we made it Called-Station-ID == 9876541234 Is '*' a valid wild card regexp? Alan DeKok. thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
On Sun, 2004-02-08 at 19:09, Jim wrote: Is '*' a valid wild card regexp? Umm... man 7 regex? No, a * by itself is not a valid regex... try .* in its place. Seriously though, if you're not used to using regular expressions, you should really bone up on it, because you can get yourself into a log of trouble with a single errant character. -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
On Sat, 7 Feb 2004, Chris Parker wrote: At 09:55 PM 2/6/2004, Jim wrote: snip preproxy_users file: DEFAULT Called-Station-ID =~ *1234, Proxy-To-Realm := realmname You should be able to do this in the plain 'users' file as well. Yes, it will work that way. Thanks, I was pretty sure it would. It was the syntax and whitespace I was wondering about. Anybody do this with MySQL? You should be able to put the same DEFAULT entry in your SQL DB. That's the tricky part, but I think we'll figure that out after we get the other approach working. thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
On Sat, 7 Feb 2004, Jim wrote: Thanks, I was pretty sure it would. It was the syntax and whitespace I was wondering about. This what I had: DEFAULT Called-Station-Id =~ *1234, Proxy-To-Realm := realm Using debug: [/etc/raddb/preproxy_users]:14 WARNING! Check item Proxy-To-Realm ?found in reply item list for user DEFAULT. ?This attribute MUST go on the first line with the other check items So I changed the entry to: DEFAULT Called-Station-Id =~ *1234, Proxy-To-Realm := realm which loaded but didn't do anything. So I changed it to: DEFAULT Called-Station-Id =~ 9876541234, Proxy-To-Realm := realm which didn't do anything either. 'blahblah' is the unknown realm that should have the Proxy-To-Realm 'realm' added as a suffix (debug output with irrelevence snipped): rad_recv: Access-Request packet from host 12.12.12.12:3065, id=46, length=220 User-Name = [EMAIL PROTECTED] Called-Station-Id = 9876541234 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_realm: Looking up realm blahblah for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm blahblah modcall[authorize]: module suffix returns noop modcall[authorize]: module sql returns notfound users: Matched DEFAULT at 1 users: Matched DEFAULT at 10 modcall[authorize]: module files returns ok modcall: group authorize returns ok auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/password] (from client o1-7 port 25217) So, freeradius doesn't add the 'realm' realm and it's trying to auth locally (which not what we want) instead of proxying the request. The users file, btw, is only used to add certain attributes, which is why the DEFAULT was being matched: DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Service-Type = Framed-User, Session-Timeout = 21600, Idle-Timeout = 900, Fall-Through = Yes # # DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP Any idea what I'm missing? thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
im [EMAIL PROTECTED] wrote: preproxy_users file: DEFAULT Called-Station-ID =~ *1234, Proxy-To-Realm := realmname What do you expect this to do? The purpose of the preproxy_users file is to massage a request AFTER you have decided to proxy it, and BEFORE it is sent to the proxy. If you're trying to set Proxy-to-Realm in that file, and expecting the request to be proxued, it won't work. You have to decide to proxy requests during the authorize stage, which means the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
preproxy for calledstationid to realm
We proxy for a ton of realms, and all works fine on our 0.8.1 radius
farm, utilizing MySQL on separate servers accounting and some
radgroupcheck/reply stuff.
We have to start processing proxy requests for unique Called-Station-ID
with unknown realms. We have a unique dnis (final four) number, so the
npa-nxx will vary wildly. Ideally, we'd like to do that using MySQL, but
after most of today RTFMing, the best option looks like using the preproxy
file. The hitch is the boss won't let us try it out unless somebody who's
more familiar with it says that this will work. So, here's what I think we
need to do:
radiusd.conf file:
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxyusersfile = ${confdir}/preproxy_users
compat = no
}
preproxy_users file:
DEFAULT
Called-Station-ID =~ *1234, Proxy-To-Realm := realmname
The realm will be stripped before sending on the packets to the auth
server.
Will/should this work? Any downside besides the fact we have to do this on
all of our radius servers? Any other way to do it?
Anybody do this with MySQL?
thanks,
Jim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: preproxy for calledstationid to realm
At 09:55 PM 2/6/2004, Jim wrote: snip preproxy_users file: DEFAULT Called-Station-ID =~ *1234, Proxy-To-Realm := realmname The realm will be stripped before sending on the packets to the auth server. Will/should this work? Any downside besides the fact we have to do this on all of our radius servers? Any other way to do it? You should be able to do this in the plain 'users' file as well. Yes, it will work that way. I know several companies that are doing exactly this today. You also could use 'fastusers' module, which caches the users file in memory. This is very nice if you are doing high volume radius. Anybody do this with MySQL? You should be able to put the same DEFAULT entry in your SQL DB. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
