At 01:47 PM 5/13/2002 -0600, [EMAIL PROTECTED] wrote:
>Here is my setup:
>
>user -> cisco AS5200 -> radius1 -> radius2
>
>radius1 is running the FR snapshot from 5/12/2002 and radius2 is a
>Secure Computing radius server. Both of these are under my control.
>
>radius1 is setup to proxy requests to radius2. This works as expected
>if I dialup as 'user' or use the radtest program.
>
>radius2 seems to only reply with a Service-Type of Authentication-Only,
>which is fine, but this gets passed back to the cisco AS5200 which
>will only allow logins and not Framed sessions.
>
>What I really need to happen is that radius1 only uses radius2 to check
>the username and password, but it will set the radius attributes itself
>so i can do Framed-User, etc.
>
>So, is there a way to configure FR to only talk to a remote radius server
>to figure out if the user has a correct password, but for it to set the
>rest of the attributes itself?
Yes. Use the module 'rlm_attr_filter' to basically strip all the attributes
returned by the remote server. The following entries should do it. Note
that unless explicitly permitted, 'rlm_attr_filter' will not permit an
attribute through.
attrs:
realm.com
Class =* ANY,
Proxy-State =* ANY
users:
DEFAULT
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
...
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
