[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Proxy Radius - Deny user based on username preproxy
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2011-12-30 19:36:37
Message-ID: 4EFE12C5.6030007 () deployingradius ! com
[Download RAW message or body]

Nathan M wrote:
> I operate a proxy radius server which proxies requests downstream.  A
> few particular usernames are repeating far more frequently than they
> should and I have no way to eliminate this upstream.  I do need to
> authenticate the users though and not deny them.  The goal would be to
> authenticate them at the proxy level so it does not send the request
> downstream at all.
> 
> Ideally an entry something to the tune of:
> userx      Cleartext-Password := "xxx"
>        Session-Timeout = 604800,
>        Idle-Timeout = 604800,
>        Acct-Interim-Interval = 4084,
>        Fall-Through = No

  That should work.

> I've reviewed and done dozens of attempts using the preproxy_users,
> and users file (by trying with files above and below the suffix line
> in authorize{}); however, none of my attempts have been successful.

  See the FAQ for "it doesn't work".

> The lines match when viewing debug; however, by entering anything
> other than Auth-Type := Reject within the users file, the
> authentication proceeds on it's merry way to the proxy process
> downstream.
> 
> Any advice on a config which will accomplish this?

  Read the debug output.  It will tell you why it's being proxied.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]