Re: proxy reply attributes

2005-05-02 Thread Tiago Fernandes 
hi,


On Fri, 2005-04-22 at 12:46 -0400, Alan DeKok wrote:
 Tiago Fernandes [EMAIL PROTECTED] wrote:
  pre-proxy {
  ...
  pre_proxy_filter
 
   That filters attributes BEFORE the packet is sent to the home server.
 
   so with this config, i say that any attributes Tunnel-* in proxy
  replies packets are removed (i suppose).
 
   Don't suppose.  Read the debugging output of the server.
 
   Is this config right ? What can be the problem ?? Any idea's ??
 
   The config is wrong for what you say you want to do.  The debug
 output of the server would tell you this.
 

right. 

So what i want is to tell home server to remove some attributes from a
reply, if that reply is going to be sent to a specific proxy server.

How can i do this ?? 

can't find any config to do this in radiusd.conf or other file...



   To debug problems like this, run it in debugging mode, and read the
 output.  All of it.
 

done

   Alan DeKok.
 
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


signature.asc
Description: This is a digitally signed message part

Re: proxy reply attributes

2005-04-22 Thread Tiago Fernandes 
hi.


i have configured radius.conf with these lines:


modules {
...


attr_filter pre_proxy_filter{
attrsfile = ${confdir}/attrs_out
}

...
}


pre-proxy {

...

pre_proxy_filter

...
}



config of the file attrs_out:

DEFAULT
  Tunnel-Type !* ANY,
  Tunnel-Medium-Type !* ANY,
  Tunnel-Private-Group-ID !* ANY



 so with this config, i say that any attributes Tunnel-* in proxy
replies packets are removed (i suppose).

 the problem is that freeradius isn't removing any of these attributes.

 Is this config right ? What can be the problem ?? Any idea's ??

 



thanks,
Tiago Fernandes


On Thu, 2005-04-14 at 12:54 -0400, Alan DeKok wrote:
 Tiago Fernandes [EMAIL PROTECTED] wrote:
  what i want to know, is if it's possible to configure the freeradius in
  que proxied servers to only send necessary attributes in replies,
  even if que attr_filter is configured in the server that is going do
  send back only allowed attributes.
 
   That's what attr_filter does.  Use it.
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 


signature.asc
Description: This is a digitally signed message part

Re: proxy reply attributes

2005-04-22 Thread Alan DeKok 
Tiago Fernandes [EMAIL PROTECTED] wrote:
 pre-proxy {
   ...
   pre_proxy_filter

  That filters attributes BEFORE the packet is sent to the home server.

  so with this config, i say that any attributes Tunnel-* in proxy
 replies packets are removed (i suppose).

  Don't suppose.  Read the debugging output of the server.

  Is this config right ? What can be the problem ?? Any idea's ??

  The config is wrong for what you say you want to do.  The debug
output of the server would tell you this.

  To debug problems like this, run it in debugging mode, and read the
output.  All of it.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy reply attributes

2005-04-14 Thread Tiago Fernandes 
On Wed, 2005-04-13 at 12:51 -0400, Alan DeKok wrote:
 Tiago Fernandes [EMAIL PROTECTED] wrote:
   I know that it's possible in freeradius to set attributes to a default
  value when a local freeradius is proxying an auth request (attr_filter).
 
   Ok...
 
   But what i want to do, is to prevent those attributes from  getting out
  in the proxy reply (like vlan attribute), when a local freeradius A is
  contacted by an external freeradius B.
 
   Have you tried attr_filter?

yes...  


attr_filter comment in radiusd.conf:
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.


so attr_filter work's only for attributes that are received in replies
from proxied servers.

what i want to know, is if it's possible to configure the freeradius in
que proxied servers to only send necessary attributes in replies,
even if que attr_filter is configured in the server that is going do
send back only allowed attributes.


 
   Alan DeKok.


thank's
Tiago Fernandes


signature.asc
Description: This is a digitally signed message part

Re: proxy reply attributes

2005-04-14 Thread Alan DeKok 
Tiago Fernandes [EMAIL PROTECTED] wrote:
 what i want to know, is if it's possible to configure the freeradius in
 que proxied servers to only send necessary attributes in replies,
 even if que attr_filter is configured in the server that is going do
 send back only allowed attributes.

  That's what attr_filter does.  Use it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxy reply attributes

2005-04-13 Thread Tiago Fernandes 
hi,




 I know that it's possible in freeradius to set attributes to a default
value when a local freeradius is proxying an auth request (attr_filter).

 But what i want to do, is to prevent those attributes from  getting out
in the proxy reply (like vlan attribute), when a local freeradius A is
contacted by an external freeradius B.


 Is it possible to do this in freeradius config ?? 



thanks,
Tiago Fernandes


signature.asc
Description: This is a digitally signed message part