From f4e65ffea24cd90771d5bc0fb9d948a3ac86b20a Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Thu, 26 Jun 2025 10:41:43 -0400 Subject: [PATCH] add @policy example with pre/post proxy Hmm... the "conf2adoc" functionality doesn't put the configuration in-line for @policy statements. We'll have to edit that, and then regenerate the examples --- .../pages/raddb/mods-available/radius.adoc | 53 ++++++++++++++++++ raddb/mods-available/radius | 54 +++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc index 8c3ffaeea2..44ae95ff9c 100644 --- a/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc +++ b/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc @@ -902,6 +902,52 @@ the connection. + +## Policy Over-rides + +The proxy policy overrides enables functionality similar to the +version 3 pre/post-proxy sections. + + + +Create a subrequest which we can edit. When the subrequest +section is done, + + +Initialize the proxied packet from the request. + +This is the "pre-proxy" section. + + + +Run the "radius proxy" module noted above. + + + +Edit the reply from the home server here. + +This is the "post-proxy" section. + +Note that the Proxy-State attributes have already +been deleted from the reply, so you don't need to +do that here. Those attributes are not needed by +anyone for anything, and confuse things if they're +copied to the original request. The `radius` +module therefore deletes them, to make your life +easier. + + + +Like v3, remove all pre-existing attributes in the +original reply, and replace them with the reply +from the home server. + +It is also possible to copy over some, or none of +the attributes in the reply from the home server. +The configuration here is just an example, and can +be edited. + + == Default Configuration ``` @@ -1047,6 +1093,13 @@ radius proxy { } } } +@policy proxy { + subrequest { + request := parent.request + proxy + parent.reply := reply + } +} ``` // Copyright (C) 2025 Network RADIUS SAS. Licenced under CC-by-NC 4.0. diff --git a/raddb/mods-available/radius b/raddb/mods-available/radius index dfd64ebcd5..ad9cf6bbe1 100644 --- a/raddb/mods-available/radius +++ b/raddb/mods-available/radius @@ -1047,3 +1047,57 @@ radius proxy { } } + + +# +# ## Policy Over-rides +# +# The proxy policy overrides enables functionality similar to the +# version 3 pre/post-proxy sections. +# + +@policy proxy { + # + # Create a subrequest which we can edit. When the subrequest + # section is done, + # + subrequest { + # + # Initialize the proxied packet from the request. + # + # This is the "pre-proxy" section. + # + request := parent.request + + # + # Run the "radius proxy" module noted above. + # + proxy + + # + # Edit the reply from the home server here. + # + # This is the "post-proxy" section. + # + # Note that the Proxy-State attributes have already + # been deleted from the reply, so you don't need to + # do that here. Those attributes are not needed by + # anyone for anything, and confuse things if they're + # copied to the original request. The `radius` + # module therefore deletes them, to make your life + # easier. + # + + # + # Like v3, remove all pre-existing attributes in the + # original reply, and replace them with the reply + # from the home server. + # + # It is also possible to copy over some, or none of + # the attributes in the reply from the home server. + # The configuration here is just an example, and can + # be edited. + # + parent.reply := reply + } +} -- 2.47.3