At 08:47 AM 02/04/26 -0500, you wrote:
>At 02:08 PM 4/26/2002 -0200, Eddie Stassen wrote:
>>Hi,
>>
>>I have posted a patch for this on the developers list, but there has been
>>no response yet so I'm wondering if this patch would be as useful to
>>others as it is for me. Basically it allows one to specify a check list
>>in the realm config which would then be checked before a request is
>>proxied. e.g.:
>>
>>realm company.com {
>> authhost = 10.0.0.1:1645
>> accthost = 10.0.0.1:1646
>> secret = mysecret
>> check = "Called-Station-Id == 1234,NAS-Port-Type <= 2"
>>}
>>
>>If the incoming request for realm mycompany.com does not match the items
>>in 'check', rlm_realm will not set the Proxy-To-Realm attribute and the
>>request will not be proxied. Omitting 'check' from the config would
>>allow realms to be proxied as usual.
>>
>>Any Comments?
>
>Why is not possible to simply do this in the 'users' file with:
>
>DEFAULT Called-Station-Id == 1234, Proxy-To-Realm := "company.com"
> Fall-Through = No
The problem is when you use the files method in conjunction with rlm_realm
it would still be possible to be proxied without the checks being done. If
for example you had:
authorize {
suffix
files
}
and in users:
DEFAULT Suffix == "@company.com",Called-Station-Id == 1234,
Proxy-To-Realm := "company.com"
Fall-Through = No
then the Proxy-To-Realm attribute for '[EMAIL PROTECTED]' would be set by
rlm_realm before the users file got hold of it and the request would be
sent on. One way of getting past this is to simply not use rlm_realm and
have DEFAULT entries for all your realms, including the various
combinations of Prefixes/suffixes etc. Seems that the rlm_realm was
designed to deal with realms and therefore checks should be done there. Not
a big deal, just a little tidier IMO.
Eddie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
