FreeRADIUS › Users

conditional attribute rewrite.

Classic

List

Threaded

4 messages Options

Benedikt Sveinsson

conditional attribute rewrite.

I have a particular problem with our service structure

We are getting rid of old freeradius servers that have been operational for years and centralizing everything into two radius servers

Due to different access networks , Some users are connected to BNG services that can only terminate or forward to a LNS

The users (realm) that are forwarded to the LNS first get a response from our prod radius with modified attributes through the legacy attr file were we add the VPDN config, and then proxied to the old legacy Radius. Our Old LNS then receives the session and authenticates with the legacy radius.

Client -> BNG - radius to prod Radius – gets VPDN info towards LNS and proxies auth to legacy radius.
Client -> LNS - authenticates to the legacy radius

This is all and well, but we have new LNS routers that are going to be terminating these sessions.

Now the issue is that I need to be able (if possible to only rewrite the attr (insert LNS / VPN info) if the requests comes from the BNG gateways as they can‘t terminate some of the special realms. (only do normal pppoe users)
But when the auth requests comes from the LNS – it shoud not get the VPDN config – else it will just loop.

Is it possible to conditionally add the attributes I need based on the NAS / NAS-IP or some other identifier ?
(basically I‘m using the routers both for LNS and terminate locally)

I have searched and I‘m bit lost both between the legacy config and „new“.

- Benni
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Michael Schwartzkopff-3

Re: conditional attribute rewrite.

On 09.12.20 12:53, Benedikt Sveinsson wrote:

> I have a particular problem with our service structure
>
> We are getting rid of old freeradius servers that have been operational for years and centralizing everything into two radius servers
>
>
> Due to different access networks , Some users are connected to BNG services that can only terminate or forward to a LNS
>
> The users (realm) that are forwarded to the LNS first get a response from our prod radius with modified attributes through the legacy attr file were we add the VPDN config, and then proxied to the old legacy Radius. Our Old LNS then receives the session and authenticates with the legacy radius.
>
> Client -> BNG - radius to prod Radius – gets VPDN info towards LNS and proxies auth to legacy radius.
> Client -> LNS - authenticates to the legacy radius
>
> This is all and well, but we have new LNS routers that are going to be terminating these sessions.
>
> Now the issue is that I need to be able (if possible to only rewrite the attr (insert LNS / VPN info) if the requests comes from the BNG gateways as they can‘t terminate some of the special realms. (only do normal pppoe users)
> But when the auth requests comes from the LNS – it shoud not get the VPDN config – else it will just loop.
>
> Is it possible to conditionally add the attributes I need based on the NAS / NAS-IP or some other identifier ?
> (basically I‘m using the routers both for LNS and terminate locally)
>
> I have searched and I‘m bit lost both between the legacy config and „new“.
>
> - Benni
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Yes. You can add conditions to your servers configs. See:

https://networkradius.com/doc/3.0.10/unlang/home.html

Perhaps you also could group your radius clients (Access Servers) into
huntgroups and base your conditions on these huntgroups.

https://wiki.freeradius.org/config/Huntgroups

I solved a similar problem defining different virtual servers and
defining which client uses which server. See virtual_server statement in
the clients.conf

Mit freundlichen Grüßen,

--

[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (235 bytes) Download Attachment

Benedikt Sveinsson

Re: conditional attribute rewrite.

Ok

Can I use Conditional Expressions in the attrs file ? I did try but perhaps I gave up to easily.

Or is there a more modern way of doing this.

- Benni

On 9.12.2020, 12:49, "Freeradius-Users on behalf of Michael Schwartzkopff" <freeradius-users-bounces+benedikts=[hidden email] on behalf of [hidden email]> wrote:

On 09.12.20 12:53, Benedikt Sveinsson wrote:
> I have a particular problem with our service structure
>
> We are getting rid of old freeradius servers that have been operational for years and centralizing everything into two radius servers
>
>
> Due to different access networks , Some users are connected to BNG services that can only terminate or forward to a LNS
>
> The users (realm) that are forwarded to the LNS first get a response from our prod radius with modified attributes through the legacy attr file were we add the VPDN config, and then proxied to the old legacy Radius. Our Old LNS then receives the session and authenticates with the legacy radius.
>
> Client -> BNG - radius to prod Radius – gets VPDN info towards LNS and proxies auth to legacy radius.
> Client -> LNS - authenticates to the legacy radius
>
> This is all and well, but we have new LNS routers that are going to be terminating these sessions.
>
> Now the issue is that I need to be able (if possible to only rewrite the attr (insert LNS / VPN info) if the requests comes from the BNG gateways as they can‘t terminate some of the special realms. (only do normal pppoe users)
> But when the auth requests comes from the LNS – it shoud not get the VPDN config – else it will just loop.
>
> Is it possible to conditionally add the attributes I need based on the NAS / NAS-IP or some other identifier ?
> (basically I‘m using the routers both for LNS and terminate locally)
>
> I have searched and I‘m bit lost both between the legacy config and „new“.
>
> - Benni
> -
> List info/subscribe/unsubscribe? See https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=04%7C01%7Cbenedikts%40vodafone.is%7C591cbb1b64c44a5f5bb008d89c40daea%7C7fe09985587e46b9bd0528d14474ed2c%7C0%7C0%7C637431149646964745%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DEbQYjUZ7saAgDogNFlYRjiuazpro3VazAIjiSYpkdM%3D&reserved=0

Yes. You can add conditions to your servers configs. See:

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnetworkradius.com%2Fdoc%2F3.0.10%2Funlang%2Fhome.html&data=04%7C01%7Cbenedikts%40vodafone.is%7C591cbb1b64c44a5f5bb008d89c40daea%7C7fe09985587e46b9bd0528d14474ed2c%7C0%7C0%7C637431149646964745%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0DGLrsZHq1HarysnGbZXZlnzvpnE9tYdAOVOYWSnvHo%3D&reserved=0

Perhaps you also could group your radius clients (Access Servers) into
huntgroups and base your conditions on these huntgroups.

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.freeradius.org%2Fconfig%2FHuntgroups&data=04%7C01%7Cbenedikts%40vodafone.is%7C591cbb1b64c44a5f5bb008d89c40daea%7C7fe09985587e46b9bd0528d14474ed2c%7C0%7C0%7C637431149646964745%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=KdSePnWuhi07VnD9d716yWobZUcEb6Hxiu1HMXiWCyQ%3D&reserved=0

I solved a similar problem defining different virtual servers and
defining which client uses which server. See virtual_server statement in
the clients.conf

Mit freundlichen Grüßen,

--

[*] sys4 AG

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsys4.de%2F&data=04%7C01%7Cbenedikts%40vodafone.is%7C591cbb1b64c44a5f5bb008d89c40daea%7C7fe09985587e46b9bd0528d14474ed2c%7C0%7C0%7C637431149646964745%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cV9RzjZEWt8IQLe8vuB%2Bv2Lzj0J%2BP0a1yZp4zaDKj1s%3D&reserved=0, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok-2

Re: conditional attribute rewrite.

On Dec 9, 2020, at 8:42 AM, Benedikt Sveinsson <[hidden email]> wrote:
> Can I use Conditional Expressions in the attrs file ? I did try but perhaps I gave up to easily.

You can't.

> Or is there a more modern way of doing this.

Just use if / then / else

if (User-Name == "bob") {
update reply {
Reply-Message := "Hello, bob!"
}
}

Look at the debug log to see what the NAS is sending. Then, write "if" conditions to match that. And inside of the "if" conditions, put "update" blocks which return the attributes you want.

It really is that simple.

The main thing is to write down the if / then / else conditions *before* trying to poke the server config. That way you know exactly what you want it to do. All you need then is to get the right syntax in the configuration files.

People run into issues when they say "I want FreeRADIUS to do stuff", but they don't have a clear picture of what "stuff" means. "You know, when something happens, I want it to do something!"

If you write down the rules in plain English, they can be easily transformed into "unlang" statements. If you have no idea what the rules are in English, it's impossible to write a server configuration which implements those rules.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html