(RADIATOR) How to do conditions based on AVpair?

Jan Tomasek jan at tomasek.cz
Thu Aug 5 10:09:58 CDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

> try to add "AddToReplyIfNotExist" if will not contain.
> But if will contain some unknown value, maybe is better delete this
> attribut (StripFromRequest) and add new (AddToRequest) based on same
> other ID parameter (@realm, IP, atd) - that's my first idea...

Problem is that I need somehow safely recognize and handle testing accounts.

At local radius I'am using this code:
<AuthBy LDAP2>
        Identifier CheckLDAP
        [...]
	AuthAttrDef     radiusTunnelPrivateGroupID,\
			Tunnel-Private-Group-ID,\
			reply
	AuthAttrDef	radiusTunnelAssignmentID
			Tunnel-Assignment-ID,\
			reply

	[...]
        AllowInReply            Tunnel-Private-Group-ID,Tunnel-Assignment-ID
        AddToReplyIfNotExist    Tunnel-Private-Group-ID=1:100
        AddToReply              Tunnel-Type=1:VLAN,\
                                Tunnel-Medium-Type=1:Ether_802
</AuthBy>

That works perfeclty for LOCAL testing accounts (testing account for testing
radius infrastructure). But if access-accept packet from our local radius will
be proxied somewhere they will more likely drop our Tunnel-Private-Group-ID
used for putting to right VLAN, because they will be using diferent number. So
we decided to use aditional AV pair for easy identification of testing account.

So I need some code in this handler:

<Handler>
        <AuthBy RADIUS>
                <Host radius1.eduroam.cz>
                        AuthPort        1812
                        AcctPort        1813
                        Secret          xxx
                </Host>
                <Host radius2.eduroam.cz>
                        AuthPort        1812
                        AcctPort        1813
                        Secret          xxx
                </Host>
        </AuthBy>

	AllowInReply
	AddToReply	Tunnel-Type=1:VLAN,\
			Tunnel-Medium-Type=1:Ether_802,\
			Tunnel-Private-Group-ID=1:100
</Handler>

Which will recognize those testing accounts and put them in diferent (non
working VLAN) than users which should be placed into 100.

I hope it's more clear now. But I'm still clueless how to get it working :)

Thanks for your time
- --
- --------------------------------------------------------------
Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
                                      Czech Republic
phone(work): +420 2 2435 5279         http://www.cesnet.cz/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBEk3F79++DGvj6tMRAhEJAJ9r1XKvFNkuCelYCruQyngD/FURUwCfQbhq
jw6OxS0V5dtNWn1i7WKtcZA=
=gbXZ
-----END PGP SIGNATURE-----

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list