On 11 Dec 2012, at 03:14, Mike Diggins <mike.digg...@mcmaster.ca> wrote:
> > On Sun, 9 Dec 2012, Alan Buxey wrote: > >> Hi, >> >>> This looks like something I should be doing but I have no idea where >>> to insert this section. Is it in proxy.conf or somewhere else? And >> >> in the authorize section of your virtual server, straight after the >> preprocess/suffix/realm >> module calls (ie before any real authorization action) >> >>> With this configuration, I guess I don't need realm's LOCAL or NULL? >> >> correct - you will deal with your LOCAL realm by handling your defined realm, >> with eduroam you dont want to EVER authenticate a user you hasnt provided >> a realm - because , for your own users, they may work fine....when they are >> at your >> site....they then think/believe their configuration works...and then find it >> doesnt work when they go to another eduroam site...and then they'll blame >> that site, your site or eduroam. best policy for eduroam is ALWAYS ensure >> a realm is defined on the client > > > ok, both the default and inner-tunnel, I assume? > > I added the section to "authorize", but the DEBUG output indicates the > regular expression is rejecting a valid user. Is there someone that could > confirm the RE? > > if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) { > ... Why not just use the filter_username policy in the policy.conf In filter_username in policy.conf you probably want to comment out the "reject mixed case" test and make sure your version has the fixed "realm begins with a dot" # # Realm begins with a dot # e.g. "u...@.site.com" # if (User-Name =~ /@\\./) { Broken ones have: # # Realm begins with a dot # e.g. "u...@.site.com" # if (User-Name !~ /@\\./) { To call filter_username policy just add "filter_username" to your authorise section. Regards Scott Armitage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html