Alan Buxey <a.l.m.bu...@lboro.ac.uk> wrote: > > I would say one thing, do NOT use DEFAULT (in fact, dont EVER use it > ...always have policies to deal with everything) - use unlang to set > the realm - local, or 'eduroam' and then only have those entries in > proxy.conf > ...I would say *do* use DEFAULT...so there. :)
My thinking is that there is no difference in effect if your eduroam unlang policy sends everything it does not know about upstream so why not just reuse the built in FreeRADIUS stuff that does the same. I guess it all depends on how you prefer to think about your packet flow. I have the following in my proxy.conf file: ---- realm NULL { } realm LOCAL { } realm soas.ac.uk { } realm DEFAULT { pool = eduroam nostrip } # blackhole routing realm myabc.com { nostrip } realm "~\\.3gppnetwork\\.org$" { nostrip } ---- Then in my authorize section I use: ---- # handle realmless authentications if ((EAP-Message) && Realm == NULL) { update reply { Reply-Message := "No Realm" } reject } # handle blackhole'd realms if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "soas.ac.uk") { update reply { Reply-Message := "Realm Blackholed" } reject } ---- For me, it means blackholing domains is a lot more straight forward and the packet flow is more 'natural' (as you are not 'forcing' a proxying). However, this parses in my brain, does not mean it will parse in anyone elses :) Cheers -- Alexander Clouter .sigmonster says: If you knew what to say next, would you say it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html