Nathan McDavit-Van Fleet <nmcda...@alcor.concordia.ca> wrote: > > Currently I am proxying Successfully to Eduroam with the following setup: > realm concordia.ca { > } > > realm LOCAL { > nostrip > } > > realm NULL { > nostrip > } > > realm DEFAULT { > pool = EDUROAM-FTLR > nostrip > } > > I won't show the pool config for the "DEFAULT" realm. But suffice to say > that's working. Also, our legacy users who are authenticating with no realm > are working as well. What isn't working are local connections using our > local real (u...@concordia.ca) and distant AAA requests from Eduroam. The > Eduroam cookbook provides some configs that appear to be helpful. But > unfortunately they're so broken I can't even put them in my configuration. > > What the below configs appear to do is check if they are of realm domain.tld > and then switch the Proxy-Realm. But the configs are too broken to work. >>From what I understand at the first "if" is missing a double quote, and the > second one isn't even evaluating and I can't fix it enough to get the server > to restart. I have included my fixes, but as I said the preacct if statement > still does not allow the server to restart after the config is included. > > ORIGINAL > authorize { > auth_log > suffix > if (("%{control:Proxy-To-Realm} == "DEFAULT") && (User-Name =~ > /.*@.*.domain.tld$/)) { > update control { > Proxy-To-Realm := NULL > } > } > 'Realm' not 'control:Proxy-To-Realm' (although they probably in effect have the same thing). > preacct { > detail > suffix > if ((Proxy-To-Realm = DEFAULT) && (User-Name =~ > /.*@.*.domain.tld$/)) > update control { > Proxy-To-Realm := NULL > } > } > > FIXED (???) > authorize { > auth_log > suffix > if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ > /.*@.*.domain.tld$/)) { > Am I being blind, I'm not seeing any difference here...?
> update control { > Proxy-To-Realm := NULL > } > For 'eduroam' auths, make sure you from *day one* reject Realm-less authentications. If you do not, your helpdesk *will* make shortcuts, and prime laptops that work fine locally, but fail to authenticate when roaming as the visited site will know know where to proxy the authentication to. The reason it is not work is that 'Realm'/'control:Proxy-To-Realm' for your own users is actually 'concordia.ca' (check the output of 'radiusd -X' for hints). So your logic needs to be more (with sanity checking, there is a lot of rubbish out there and that passes through): ---- authorize { preprocess auth_log # handy, the '1' is meant to be there # N.B. ignore the grumbles from IAS sysadmin, 'crime and punishment' update request { Operator-Name := "1concordia.ca" } # Reject Calling-Station-Id-less authentications if (!(Calling-Station-Id)) { update reply { Reply-Message := "No Calling-Station-Id" } reject } if (!(User-Name)) { update reply { Reply-Message := "No User-Name" } reject } suffix # handle realmless authentications if (Realm == NULL) { update reply { Reply-Message := "No Realm" } reject } # handle blackhole'd realms if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "concordia.ca") { update reply { Reply-Message := "Realm Blackholed" } reject } if (!(EAP-Message)) { update reply { Reply-Message := "No EAP-Message" } reject } EAP { ok = return } # 'handled' after EAP so we can record what guests are using if (Realm == DEFAULT) { # workaround crappy load-balancing update control { Load-Balance-Key := "%{NAS-IPv6-Address} %{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-Id}" } handled } } ---- -- Alexander Clouter .sigmonster says: I live the way I type; fast, with a lot of mistakes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html