Hi,
I'm trying to accept two Filter-Id attributes that is sent back to me from a
VISP's RADIUS server.
NAS -> Proxy AAA -> VISP AAA.
Lets start at the Proxy AAA:
DEFAULT Suffix =~ "[EMAIL PROTECTED]"
Cisco-AVPair = "ip:addr-pool=serendipity",
Filter-Id = "serendipity_standard_dial_in_10.in",
Filter-Id += "serendipity_standard_dial_out_10.out",
Idle-Timeout = 0,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Fall-Through = No
Some users ([EMAIL PROTECTED]) send back different Filter-Id's (/both/ .in and
.out) to that defined in the users file, so my Filter-ID's that must be sent
back to the NAS should look like:
...
Filter-Id = "serendipity_dial_in_6.in"
Filter-Id = "serendipity_dial_in_6.out"
...
The problem is that the VISP's RADIUS server is sending back the correct
Filter-Id's, but FreeRADIUS is overriding the "out" ACL with
serendipity_standard_dial_out_10.out.
If the .in Filter-ID is "=" and the .out Filter-ID is "+=", this is the result:
Packet-Type = Access-Accept
Mon May 9 11:23:46 2005
Service-Type = Framed-User
Filter-Id = "serendipity_dial_in_6.in"
Filter-Id = "serendipity_dial_in_6.out"
Framed-IP-Netmask = 255.255.255.255
Reply-Message = "annex:"
Cisco-AVPair = "ip:addr-pool=serendipity"
Filter-Id += "serendipity_standard_dial_out_10.out"
Idle-Timeout = 0
Framed-Protocol = PPP
.. on the NAS the ACL applied:
Access list (I/O) is serendipity_dial_in_6/serendipity_standard_dial_out_10,
default (I/O) not set/not set
If I change my Filter-ID's to "+="'s in both instances in my users file:
Access list (I/O) is
serendipity_standard_dial_in_10/serendipity_standard_dial_out_10, default (I/O)
not set/not set
I can unfortunately not apply a default ACL on my Virtual Template interface on
the NAS, as the 'default' ACL is different for two major ISPs that make use of
the same dial-up infrastructure.
Any quick wins?
Jaco
--
[EMAIL PROTECTED]
the faculty of making fortunate discoveries
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
