At 04:30 PM 4/26/2002 -0200, Eddie Stassen wrote:
>At 08:47 AM 02/04/26 -0500, you wrote:
>>At 02:08 PM 4/26/2002 -0200, Eddie Stassen wrote:
>>>Hi,
>>>
>>>I have posted a patch for this on the developers list, but there has
>>>been no response yet so I'm wondering if this patch would be as useful
>>>to others as it is for me. Basically it allows one to specify a check
>>>list in the realm config which would then be checked before a request is
>>>proxied. e.g.:
>>>
>>>realm company.com {
>>> authhost = 10.0.0.1:1645
>>> accthost = 10.0.0.1:1646
>>> secret = mysecret
>>> check = "Called-Station-Id == 1234,NAS-Port-Type <= 2"
>>>}
>>>
>>>If the incoming request for realm mycompany.com does not match the items
>>>in 'check', rlm_realm will not set the Proxy-To-Realm attribute and the
>>>request will not be proxied. Omitting 'check' from the config would
>>>allow realms to be proxied as usual.
>>>
>>>Any Comments?
>>
>>Why is not possible to simply do this in the 'users' file with:
>>
>>DEFAULT Called-Station-Id == 1234, Proxy-To-Realm := "company.com"
>> Fall-Through = No
>
>The problem is when you use the files method in conjunction with rlm_realm
>it would still be possible to be proxied without the checks being
>done. If for example you had:
>
>authorize {
> suffix
> files
>}
>and in users:
>
>DEFAULT Suffix == "@company.com",Called-Station-Id == 1234,
>Proxy-To-Realm := "company.com"
> Fall-Through = No
>
>then the Proxy-To-Realm attribute for '[EMAIL PROTECTED]' would be set by
>rlm_realm before the users file got hold of it and the request would be
>sent on.
Then simply change the order of the 'authorize' block, so that files is
called first.
Or better have a separate 'fastusers' instance that uses a different
'users' file without a DEFAULT entry ( so that it return NOTFOUND if
nothing matches ).
>One way of getting past this is to simply not use rlm_realm and have
>DEFAULT entries for all your realms, including the various combinations of
>Prefixes/suffixes etc. Seems that the rlm_realm was designed to deal with
>realms and therefore checks should be done there. Not a big deal, just a
>little tidier IMO.
Perhaps, though I'd rather not duplicate functionality that's already
there. I'm a minimalist, so I prefer to keep the modules simple in what
they do unless there isn't another way already of doing what you want.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
