Re: Dynamic Attributes Based on NAS Type !
That's also the way we do it. On Sat, Oct 8, 2011 at 7:48 PM, Michael Hartwick hartw...@hartwick.comwrote: It may not be pretty, but why not just sent all 3 sets of VSA’s. If the NAS doesn’t recognize it won’t it just ignore the attribute? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
Stefan A. wrote: If you read it ‚one of the ideas of having different virtual servers is separation of policies for different NASses’ you are right. Suman was asking on how to send several NASses into the same policy. The simplest way to do it is to set *generic* policies, and then re-write them in post-auth. For example, define a Policy-Name attribute in the dictionary, and set it somewhere in the authorize section. Then: post-auth { ... if (%{client:nas_type} == foo) { // map policies for client foo } elsif (%{client:nas_type} == bar) { // map policies for client bar } ... } The underlying issue is that different NAS vendors have defined different attributes for the same functionality. An even simpler solution is to just return all of the VSAs to each NAS. As was said earlier, each NAS will ignore the ones it doesn't understand, and apply the ones it does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
Last night i also dreamt of sending all VSA to NAS but i was not sure what will be the outcome so thanks for the info. I have never worked with policies but it seems to be important so i will try to learn the same. Regards Suman On Sun, Oct 9, 2011 at 2:01 PM, Alan DeKok al...@deployingradius.comwrote: Stefan A. wrote: If you read it ‚one of the ideas of having different virtual servers is separation of policies for different NASses’ you are right. Suman was asking on how to send several NASses into the same policy. The simplest way to do it is to set *generic* policies, and then re-write them in post-auth. For example, define a Policy-Name attribute in the dictionary, and set it somewhere in the authorize section. Then: post-auth { ... if (%{client:nas_type} == foo) { // map policies for client foo } elsif (%{client:nas_type} == bar) { // map policies for client bar } ... } The underlying issue is that different NAS vendors have defined different attributes for the same functionality. An even simpler solution is to just return all of the VSAs to each NAS. As was said earlier, each NAS will ignore the ones it doesn't understand, and apply the ones it does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Alan wrote: if (%{client:nas_type} == foo) { // map policies for client foo } What would you recommend to do, if your client is a proxy server? NAS-ID? An even simpler solution is to just return all of the VSAs to each NAS. As was said earlier, each NAS will ignore the ones it doesn't understand, and apply the ones it does. Nice idea, as long as a NAS vendor does not introduce another or additional way(/attribute) to do things in never NAS OS Versions. In that case you would possible get in trouble if you have both NAS OS versions in your network and feed them with mixed attributes. Starent did this in the past, where they had a bunch of QoS attributes in one Version and a single Attribute (177) to handle them all at once in never versions. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
Stefan A. wrote: What would you recommend to do, if your client is a proxy server? NAS-ID? No. Don't send policies back. You don't control the NAS. So you have no business sending it NAS-specific policies. Nice idea, as long as a NAS vendor does not introduce another or additional way(/attribute) to do things in never NAS OS Versions. In that case you would possible get in trouble if you have both NAS OS versions in your network and feed them with mixed attributes. Starent did this in the past, where they had a bunch of QoS attributes in one Version and a single Attribute (177) to handle them all at once in never versions. Yes, well, NAS vendors have been known for doing weird things. Hence RFC 6158. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Alan wrote: What would you recommend to do, if your client is a proxy server? NAS-ID? No. Don't send policies back. You don't control the NAS. So you have no business sending it NAS-specific policies. I never talked about sending policies to the NAS. The question was, what would be the recommendation, if the RADIUS client is a RADIUS Proxy server (..in between the original NAS and my FR...) In that case, %{client:nas_type} won't work, because it would always be the same (... proxy server) Would one use %{NAS-ID} instead of %{client:nas_type}? Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
Stefan A. wrote: I never talked about sending policies to the NAS. That *was* the subject of conversation. If you're not going to talk about that, start a new thread. The question was, what would be the recommendation, if the RADIUS client is a RADIUS Proxy server (..in between the original NAS and my FR...) In that case, %{client:nas_type} won't work, because it would always be the same (... proxy server) Uh... the nas_type field is whatever you want. Put in nas_type = proxy for a proxy server. You can then key off of that, and send *no* NAS-specific attributes back. Would one use %{NAS-ID} instead of %{client:nas_type}? No. The NAS-Identifier is created by the NAS, which may be 2-3 hops away from the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
I give up... No time for distorting arguments. Regards Stefan -Original Message- From: freeradius-users- bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius- users-bounces+a.freeradius=premit...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Sunday, October 09, 2011 7:35 PM To: FreeRadius users mailing list Subject: Re: Dynamic Attributes Based on NAS Type ! Stefan A. wrote: I never talked about sending policies to the NAS. That *was* the subject of conversation. If you're not going to talk about that, start a new thread. The question was, what would be the recommendation, if the RADIUS client is a RADIUS Proxy server (..in between the original NAS and my FR...) In that case, %{client:nas_type} won't work, because it would always be the same (... proxy server) Uh... the nas_type field is whatever you want. Put in nas_type = proxy for a proxy server. You can then key off of that, and send *no* NAS-specific attributes back. Would one use %{NAS-ID} instead of %{client:nas_type}? No. The NAS-Identifier is created by the NAS, which may be 2-3 hops away from the proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Suman, As you did not say anything about the exact attributes, you will send to the NAC, here is how we do this: we are also using different NAS and have to reply with different VSAs for setting up the QOS. We use the existence of a specific VSAs (specified per NAS type) in the request to select the VSAs to be used in responses. e.g: if we found the Starent Networks VSA 'SN-Service-Type' in the request, we reply with 'SN-QOS-Profile' to set up QoS This is save, as we won't see any Starent VSAs in Cisco or Chillispot NASses. To make this flexible, we have set up our own VSA to configure users QOS, which is then translated into the specific reply attributes for the NAS, the user is currently using. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org ] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 4:40 PM To: FreeRadius users mailing list Subject: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic Attributes Based on NAS Type !
To be specific , I am concerned about the QoS VSA's . For Example. Mikrotik NAS - Mikrotik-Rate-Limit Chillispot - Chillispot-Max-UP , Chillispot-Max-Down Cisco - Cisco-Policy-UP , Cisco-Policy-Down Now if the user logged from different NAS's the VSA will differ so it is not possible to have a single entry in radgroupreply or radreply pertaining to a kind of NAS. I guess that this is not an out of the box feature in freeradius , instead i need to use some kind of custom script in Post-Auth section which will check the NAS Type and reply out the correct VSA's I am looking for a unique identifier from NAS by which freeradius can understand what type of NAS it is. I tried it and it seems that i have no control on the Access-Request sent by NAS to freeradius. The only idea which currently comes into my mind is to use nas.type value in DB but incase the NAS Type is incorrectly specified reply attributes will go nuts . So any idea if there are any unique identifiers ? Regards Suman On Sat, Oct 8, 2011 at 9:40 PM, Stefan A. a.freerad...@premit.de wrote: ** ** Suman, As you did not say anything about the exact attributes, you will send to the NAC, here is how we do this: ** ** we are also using different NAS and have to reply with different VSAs for setting up the QOS. We use the “existence of a specific VSAs” (specified per NAS type) in the request to select the VSAs to be used in responses. ** ** e.g: if we found the Starent Networks VSA ‘SN-Service-Type’ in the request, we reply with ‘SN-QOS-Profile’ to set up QoS This is save, as we won’t see any Starent VSAs in Cisco or Chillispot NASses. ** ** To make this flexible, we have set up our own VSA to configure users QOS, which is then translated into the specific reply attributes for the NAS, the user is currently using. ** ** Regards Stefan ** ** *From:* freeradius-users-bounces+a.freeradius= premit...@lists.freeradius.org [mailto: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org] *On Behalf Of *Suman Dash *Sent:* Saturday, October 08, 2011 4:40 PM *To:* FreeRadius users mailing list *Subject:* Dynamic Attributes Based on NAS Type ! ** ** Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
It may not be pretty, but why not just sent all 3 sets of VSA's. If the NAS doesn't recognize it won't it just ignore the attribute? From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 13:08 To: FreeRadius users mailing list Subject: Re: Dynamic Attributes Based on NAS Type ! To be specific , I am concerned about the QoS VSA's . For Example. Mikrotik NAS - Mikrotik-Rate-Limit Chillispot - Chillispot-Max-UP , Chillispot-Max-Down Cisco - Cisco-Policy-UP , Cisco-Policy-Down Now if the user logged from different NAS's the VSA will differ so it is not possible to have a single entry in radgroupreply or radreply pertaining to a kind of NAS. I guess that this is not an out of the box feature in freeradius , instead i need to use some kind of custom script in Post-Auth section which will check the NAS Type and reply out the correct VSA's I am looking for a unique identifier from NAS by which freeradius can understand what type of NAS it is. I tried it and it seems that i have no control on the Access-Request sent by NAS to freeradius. The only idea which currently comes into my mind is to use nas.type value in DB but incase the NAS Type is incorrectly specified reply attributes will go nuts . So any idea if there are any unique identifiers ? Regards Suman On Sat, Oct 8, 2011 at 9:40 PM, Stefan A. a.freerad...@premit.de wrote: Suman, As you did not say anything about the exact attributes, you will send to the NAC, here is how we do this: we are also using different NAS and have to reply with different VSAs for setting up the QOS. We use the existence of a specific VSAs (specified per NAS type) in the request to select the VSAs to be used in responses. e.g: if we found the Starent Networks VSA 'SN-Service-Type' in the request, we reply with 'SN-QOS-Profile' to set up QoS This is save, as we won't see any Starent VSAs in Cisco or Chillispot NASses. To make this flexible, we have set up our own VSA to configure users QOS, which is then translated into the specific reply attributes for the NAS, the user is currently using. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius mailto:freeradius-users-bounces%2Ba.freeradius =premit...@lists.freeradius.org] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 4:40 PM To: FreeRadius users mailing list Subject: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
Norbert, sorry, but you are taking a sledgehammer to crack the nut. If you read it one of the ideas of having different virtual servers is separation of policies for different NASses you are right. Suman was asking on how to send several NASses into the same policy. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org ] On Behalf Of Wegener, Norbert Sent: Saturday, October 08, 2011 8:02 PM To: FreeRadius users mailing list Subject: AW: Dynamic Attributes Based on NAS Type ! The general idea is to setup a virtual server for each type of NAS and make sure, that every NAS is loaded into the correct virtual server. With best regards, _ Norbert Wegener Siemens IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. _ Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org] im Auftrag von Suman Dash [sumand...@gmail.com] Gesendet: Samstag, 8. Oktober 2011 16:39 Bis: FreeRadius users mailing list Betreff: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html