Hi,
I have "similar" settings that are definitely working, here they are:
Ascend-Client-Primary-DNS = "x.x.x.x",
Ascend-Client-Secondary-DNS = "x.x.x.x",
Ascend-Data-Filter = "ip in forward dstip x.x.x.x/24",
Ascend-Data-Filter = "ip in drop",
Ascend-Data-Filter = "ip out forward",
X-Ascend-Client-Primary-DNS = "x.x.x.x",
X-Ascend-Client-Secondary-DNS = "x.x.x.x",
X-Ascend-Data-Filter = "ip in forward dstip x.x.x.x/24",
X-Ascend-Data-Filter = "ip in drop",
X-Ascend-Data-Filter = "ip out forward"
When I use radtest, here is the output:
Sending Access-Request of id 186 to 127.0.0.1:1645
User-Name = "xxxx"
Password = "xxxx"
NAS-IP-Address = auth01
NAS-Port-Id = "1"
rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=186, length=308
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Framed-Compression = Van-Jacobson-TCP-IP
Ascend-Client-Primary-DNS = x.x.x.x
Ascend-Client-Secondary-DNS = x.x.x.x
Ascend-Data-Filter = "ip input forward 0 dstip x.x.x.x/24"
Ascend-Data-Filter = "ip input drop 0"
Ascend-Data-Filter = "ip output forward 0"
X-Ascend-Client-Primary-DNS = x.x.x.x
X-Ascend-Client-Secondary-DNS = x.x.x.x
X-Ascend-Data-Filter = "ip input forward 0 dstip x.x.x.x/24"
X-Ascend-Data-Filter = "ip input drop 0"
X-Ascend-Data-Filter = "ip output forward 0"
Regards,
Edgard Castro <[EMAIL PROTECTED]>
Infrastructure Manager - iBEST S/A.
+55 (21) 2220-2211 / +55 (21) 9146-2934
http://www.ibest.com.br
> -----Original Message-----
> From: Charlie Watts [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 11, 2002 10:20 PM
> To: [EMAIL PROTECTED]
> Subject: Re: rlm_attr_filter + Ascend-Data-Filter
>
>
> On Mon, 11 Mar 2002, Chris Parker wrote:
> > At 10:18 AM 3/11/2002 -0700, Charlie Watts wrote:
> > >I'm having trouble with rlm_attr_filter and Ascend-Data-Filter.
> > >
> > >attrs:
> > >acsinc.net
> > > Ascend-Data-Filter := "ip in forward tcp est",
> > > Ascend-Data-Filter := "ip in forward dstip
> 199.45.141.0/24",
> > > Ascend-Data-Filter := "ip in drop tcp dstport = 25",
> > > Ascend-Data-Filter := "ip in forward"
> >
> > Hmmm, perhaps try using the += operator there.
>
> I don't get them back at all when I use +=. And looking at the docs &
> source, += doesn't seem to be supported.
>
> > >And here's some output from the debug log:
> > >Sending Access-Accept of id 173 to 199.45.141.1:1026
> > > Ascend-Data-Filter = "ip input forward 0"
> > > Ascend-Data-Filter = "ip input forward 0"
> > > Ascend-Data-Filter = "ip output drop 0"
> > > Ascend-Data-Filter = "ip input forward 0"
> >
> > Here they are set as separate attributes, so it's not a problem with
> > the rlm_attr_filter module.
>
> So is it in rlm_attr_filter or the core that the attributes
> are getting
> mangled?
>
> > >And here's what I get back: Vendor-Specific =
> >
> >"V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:
> L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:"
> >
> > What is this output from?
>
> Hrm, that's a non-freeradius "radtest" client. I was assuming
> that was the
> non-decoded binary Ascend-Data-Filter, but it might just be
> garbage. The
> freeradius "radtest" returns the same thing that the debug log shows.
>
> I uncommented your DEBUG2 lines in rlm_attr_filter.c and re-compiled.
> Here's an example of what I see when using the := syntax:
>
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> attr_filter: Matched entry realm.test at line 79
> attr_filter: creating vp Service-Type - 1 - 2
> attr_filter: creating vp Login-Service - 1 - 1
> attr_filter: creating vp Ascend-Data-Filter - 4 - 0
> attr_filter: creating vp Ascend-Data-Filter - 4 - 0
> attr_filter: creating vp Ascend-Data-Filter - 4 - 0
> attr_filter: creating vp Ascend-Data-Filter - 4 - 0
> modcall[authorize]: module "attr_filter" returns updated
> modcall[authorize]: module "suffix" returns ok
> modcall[authorize]: module "files" returns notfound
> modcall: group authorize returns updated
> rad_check_password: Found Auth-Type
> rad_check_password: Auth-Type = Accept, accepting the user
> Login OK: [[EMAIL PROTECTED]] (from nas UNKNOWN-NAS port 0)
> Sending Access-Accept of id 230 to 199.45.200.140:1484
> Service-Type = Framed-User
> Login-Service = Rlogin
> Ascend-Data-Filter = "ip input forward 0"
> Ascend-Data-Filter = "ip input forward 0"
> Ascend-Data-Filter = "ip output drop 0"
> Ascend-Data-Filter = "ip input forward 0"
> Finished request 0
>
> It doesn't work even if I just use one Ascend-Data-Filter:
>
> realm.test
> Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24"
>
> Still comes out as "ip input forward 0".
>
> (I see some comments in the source about Fall-Through being
> incomplete. I
> notice that it -always- falls through, despite Fall-Through = No being
> set.)
>
> Appreciate your time.
>
> --
> Charlie Watts
> [EMAIL PROTECTED]
> Frontier Internet, Inc.
> http://www.frontier.net/
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
