Hi Mike, all, A patch and a suggestion for goodies below.
A lot of people seem to use Radiator with EduRoam and after two debugging sessions, the first to find the cause why it's not working for a user and the 2nd to apply the below patch, things are significantly starting to improve for a couple of users who's IdPs send out weird atttributed incl. VLAN asignments etc. Not sure if we should pass down all section 5.7.18 ref.pdf options down from the AuthDNSROAM patch below, but these two seem essential as having them in and not working might lead to unexpected results. My somehow excessive attribute filter list fuer Eduroam currently is AllowInReply User-Name, \ Class, \ Framed-Protocol, \ Service-Type, \ EAP-Message, \ Message-Authenticator, \ MS-MPPE-Send-Key, \ MS-MPPE-Recv-Key, \ MS-CHAP-Domain, \ MS-CHAP2-Success, \ Proxy-State with Framed-Protocol at least being excessive and should probably be static and Service-Type probably be restricted. I wonder if others have a comment on that list; I have been told another (open source) radius software comes with a pre-defined list but have not checked, so I think putting that into goodies, if not there yet, for AuthDNSRoam/Eduraom samples would be an excellent idea:) Special thanks go to Stefan Winter and Ronald van der Pol for the debugging sessions to figure out the VLAN problem while here at IETF83. Apart from that Radiator seems to do great wrt to DNSRoam and I am looking forward for the draft to be updated and the latest things that have been offically assigned to be sorted. Great! Thanks a lot for that! Thanks, /bz --- AuthDNSROAM.pm.orig 2011-09-29 21:51:05.000000000 +0000 +++ AuthDNSROAM.pm 2012-03-29 16:16:09.000000000 +0000 @@ -285,6 +285,7 @@ sub addRoute (qw(Address Transport Protocol Port UseTLS SRVName StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled + StripFromReply AllowInReply NoForwardAuthentication NoForwardAccounting AllowInRequest NoreplyTimeout IgnoreReject @@ -390,6 +391,7 @@ sub handle_request (map {defined $self->{$_} ? ($_ => $self->{$_}) : ()} (qw(Port Secret StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled + StripFromReply AllowInReply NoForwardAuthentication NoForwardAccounting AllowInRequest NoreplyTimeout IgnoreReject IgnoreAccountingResponse MaxBufferSize @@ -414,6 +416,7 @@ sub handle_request # Copy parameters from $self: (map {defined $self->{$_} ? ($_ => $self->{$_}) : ()} (qw(StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled + StripFromReply AllowInReply NoForwardAuthentication NoForwardAccounting AllowInRequest AuthPort AcctPort Secret Retries RetryTimeout UseOldAscendPasswords ServerHasBrokenPortNumbers ServerHasBrokenAddresses IgnoreReplySignature -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator