About authorizing only users with specific attributes (post RADIUS proxy)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

About authorizing only users with specific attributes (post RADIUS proxy)

Seiichirou Hiraoka
I am building RADIUS Proxy with FreeRADIUS 3.0.4.

@mydomain.edu -> backendradius.mydomain.com
All Other domains -> radius.otherdomain.com

RADIUS server of mydomain.com which is its own domain is already built
separately, and the server under construction wants to do RADIUS Proxy
with the above two rules.

For mydomain.com only, I would like to authorize users who have a
specific character string in the RADIUS standard attribute Filter-Id.

In this case, where should we determine the value of Filter-Id in the
RADIUS response from backendradius.mydomain.com?
Would you please let me know if you have any reference information,
such as a conditional expression with unlang.

Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: About authorizing only users with specific attributes (post RADIUS proxy)

Alan DeKok-2
On Jul 26, 2017, at 3:04 AM, Seiichirou Hiraoka <[hidden email]> wrote:
>
> I am building RADIUS Proxy with FreeRADIUS 3.0.4.

  Please upgrade to 3.0.15...

> @mydomain.edu -> backendradius.mydomain.com
> All Other domains -> radius.otherdomain.com

  That is easy to configure in proxy.conf.  Set a realm for @mydomain.edu, and then a DEFAULT realm for the rest.  It will just work.

> For mydomain.com only, I would like to authorize users who have a
> specific character string in the RADIUS standard attribute Filter-Id.
>
> In this case, where should we determine the value of Filter-Id in the
> RADIUS response from backendradius.mydomain.com?

  In the post-auth section.

> Would you please let me know if you have any reference information,
> such as a conditional expression with unlang.

  The configuration files have dozens of examples, and "man unlang" documents it.

        if ((Realm == "a") && (reply:Filter-Id == "b")) {
                ...
        }

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: About authorizing only users with specific attributes (post RADIUS proxy)

Seiichirou Hiraoka
Hello Alan,

thank you for your answer.
By writing in the post-auth section, it was the desired behavior.

Best regards,


2017-07-26 20:42 GMT+09:00 Alan DeKok <[hidden email]>:

> On Jul 26, 2017, at 3:04 AM, Seiichirou Hiraoka <[hidden email]> wrote:
>>
>> I am building RADIUS Proxy with FreeRADIUS 3.0.4.
>
>   Please upgrade to 3.0.15...
>
>> @mydomain.edu -> backendradius.mydomain.com
>> All Other domains -> radius.otherdomain.com
>
>   That is easy to configure in proxy.conf.  Set a realm for @mydomain.edu, and then a DEFAULT realm for the rest.  It will just work.
>
>> For mydomain.com only, I would like to authorize users who have a
>> specific character string in the RADIUS standard attribute Filter-Id.
>>
>> In this case, where should we determine the value of Filter-Id in the
>> RADIUS response from backendradius.mydomain.com?
>
>   In the post-auth section.
>
>> Would you please let me know if you have any reference information,
>> such as a conditional expression with unlang.
>
>   The configuration files have dozens of examples, and "man unlang" documents it.
>
>         if ((Realm == "a") && (reply:Filter-Id == "b")) {
>                 ...
>         }
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...