Bluehost.com Web Hosting $6.95

Accepting Filter-Id attributes from remote RADIUS server

This is a discussion on Accepting Filter-Id attributes from remote RADIUS server within the FreeRADIUS Users forums, part of the Networking and Network Related category; Hi, I'm trying to accept two Filter-Id attributes that is sent back to me from a VISP's ...


Go Back   Usenet Forums > Networking and Network Related > FreeRADIUS Users

Reload this Page Accepting Filter-Id attributes from remote RADIUS server

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-18-2005
Jaco Engelbrecht
 
Posts: n/a
Default Accepting Filter-Id attributes from remote RADIUS server
Hi,

I'm trying to accept two Filter-Id attributes that is sent back to me from a VISP's RADIUS server.

NAS -> Proxy AAA -> VISP AAA.

Lets start at the Proxy AAA:

DEFAULT Suffix =~ "\@serendipity$"
Cisco-AVPair = "ip:addr-pool=serendipity",
Filter-Id = "serendipity_standard_dial_in_10.in",
Filter-Id += "serendipity_standard_dial_out_10.out",
Idle-Timeout = 0,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Fall-Through = No

Some users (dial6@serendipity) send back different Filter-Id's (/both/ .in and .out) to that defined in the users file, so my Filter-ID's that must be sent back to the NAS should look like:

...
Filter-Id = "serendipity_dial_in_6.in"
Filter-Id = "serendipity_dial_in_6.out"
...


The problem is that the VISP's RADIUS server is sending back the correct Filter-Id's, but FreeRADIUS is overriding the "out" ACL with serendipity_standard_dial_out_10.out.

If the .in Filter-ID is "=" and the .out Filter-ID is "+=", this is the result:

Packet-Type = Access-Accept
Mon May 9 11:23:46 2005
Service-Type = Framed-User
Filter-Id = "serendipity_dial_in_6.in"
Filter-Id = "serendipity_dial_in_6.out"
Framed-IP-Netmask = 255.255.255.255
Reply-Message = "annex:"
Cisco-AVPair = "ip:addr-pool=serendipity"
Filter-Id += "serendipity_standard_dial_out_10.out"
Idle-Timeout = 0
Framed-Protocol = PPP


... on the NAS the ACL applied:

Access list (I/O) is serendipity_dial_in_6/serendipity_standard_dial_out_10, default (I/O) not set/not set

If I change my Filter-ID's to "+="'s in both instances in my users file:

Access list (I/O) is serendipity_standard_dial_in_10/serendipity_standard_dial_out_10, default (I/O) not set/not set


I can unfortunately not apply a default ACL on my Virtual Template interface on the NAS, as the 'default' ACL is different for two major ISPs that make use of the same dial-up infrastructure.

Any quick wins?

Jaco

--
bje@serendipity.org.za
the faculty of making fortunate discoveries

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 06:32 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0