[EMAIL PROTECTED] wrote: > > I cant see WHY the VLAN info needs to reach other sites at all...perhaps > the National Proxy should be stripping out such things? anyway, if memory > Alan, your logic sounds fine but it has two flaws: 1. you should not depend on someone whom you cannot control to do the work for you. 2. some countries already made decisions that the national proxy MUST NOT interfere with the stuff sent in the radius packets. It was argued by some colleagues that for instance two institutions could have an explicit agreement and honor each other's VLAN settings.
Actually we did manage do fix that thing using rlm_perl in postauth section. rlm_perl was hacked a bit so that it would be able to delete attributes. I really think that this is a perfectly natural need to be able to control attributes sent when the request comes from am outside proxy. The approach based on NAS IP Address is not correct, since NAS addresses are often from private address space and can repeat in various institutions. Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
