addition to policy.conf

Matthew Newton mcn4 at leicester.ac.uk
Wed Jun 6 02:33:35 CEST 2012


On Tue, Jun 05, 2012 at 05:34:30PM +0100, Brian Candler wrote:
> Only a gut feeling of "either enforce RFC 2486, or don't". Anything else
> seems to be a kludge to me.

As another eduroam member, the amount of cr*p out there is
unbelieveable. From this perspective only, doing /anything/ to
stop that from going off-site is a good thing for the rest of the
system, RFC or no RFC.

But from a FreeRADIUS package point of view, RFCs are a good place
to base code and configuration on. So a policy that enforces
certain rules, based on RFC recommendations, that can be locally
enhanced can only be a good thing.

> Has anyone actually *measured* what proportion of their failed logins are
> due to usernames containing two dots, or realms which start or end with a
> dot, or the other things the OP's regexp tests rejected?

Random sample - the whole month of May. awk/grep stats at 1am, and
I'm ill and tired - so you choose whether to trust it or not:


Less than 10 logins that had '..', or '@.' or ended in '.'.

However, 19 unique usernames that included a ' ', which consisted
of over 15,000 login attempts, of which 11,000 were one user.
That's one of the problems - some broken (IMO) supplicants just
keep trying. That individual's problem? A space on the end.

Number of unique usernames with random characters - '=', '/', '#',
';', ',', etc. You name it, it's probably there! - around 50.

Number of login attempts to *.3gppnetwork.org - over 3,000.


Anything to help block this sort of thing (easily, or by default)
is useful, especially in a large federation like eduroam where the
national proxies can be a choke point.

(As to the whole national proxy thing, I'd happily scrap it for
national RADIUS, go peer-to-peer, and just use it for
international proxying, but it's what we live with at the moment,
and that debate is definitely off-topic!)

Cheers,

Matthew



-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Devel mailing list