[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-gnu-radius] proposal for extra proxy functionality
|
From: |
Maurice Makaay |
|
Subject: |
[Bug-gnu-radius] proposal for extra proxy functionality |
|
Date: |
Wed, 14 Jul 2004 23:59:30 +0200 |
Hi,
Today I created a little patch for gnu-radius which makes it possible for
me to use huntgroups in the realms configuration for proxying. Maybe it's
a nice feature to add to the gnu-radius tree?
The problem I ran into was the fact that we use a tunneling construction
with our dial-in provider. In short it looks a bit like this:
1. user dials dial-in infrastructure
2. infra contacts our radiusserver
3. radiusserver returns tunneling attributes
4. a tunnel is setup betwee the infra and our accessrouter
4. PPP session is transferred through the tunnel to our accessrouter
5. PPP session is restarted
6. our accessrouter contacts our radiusserver
7. the user is authenticated or not
So in both steps 2 and 6 an authentication request is done. Now we have
a customer for which the authentication must be proxied to their own
radiusserver. For step 6 this is no problem. This is just a plain
auth request. But step 2 includes sending back some very specific
tunneling attributes (tunnel endpoint, password, etc.). We do not want
the customer to have to return these attributes. We just want step
6 to go to the customer's radiusserver.
I couldn't really find a good solution for this problem, so I created
a little patch. Could you take a look at it, to see if it can be included
in gnu-radius?
radiusd/files.c
---------------
I removed the static declaration to make huntgroup_match available
outside files.c itself:
-static int huntgroup_match(RADIUS_REQ *req, char *huntgroup);
+int huntgroup_match(RADIUS_REQ *req, char *huntgroup);
radiusd/proxy.c
---------------
I added some code for handling an extra huntgroup=<group> attribute for the
realms file:
@@ -265,7 +265,16 @@
REALM *realm = realm_lookup_name(name);
static char *var[] = { "auth", "acct" };
int t;
-
+
+ /* InterNLnet: check if a huntgroup restriction is set for the realm */
+ if (realm) {
+ char *huntgroup = envar_lookup_str(realm->args, "huntgroup", "");
+ if (strlen(huntgroup)) {
+ if (!huntgroup_match(req, huntgroup))
+ return NULL;
+ }
+ }
+
if (realm) {
int rc;
switch (req->code) {
Using this patch I'm able to configure something like this in our realms file:
proxyrealm 1.2.3.4:1812:1813 notrip,ignorecase,huntgroup=accessrouter
Using the huntgroups file I place our accessrouter in the "accessrouter"
huntgroup. Now all requests for address@hidden will be handled by our
own radius, except for the requests coming from our accessrouter (which
will be handled by our customer's radius server).
Kind regards,
Maurice Makaay
InterNLnet BV
- [Bug-gnu-radius] proposal for extra proxy functionality,
Maurice Makaay <=