"double" realm problem

Alexander Clouter alex at digriz.org.uk
Wed Oct 7 18:36:37 CEST 2009 

mr typo <euroregistrar at gmail.com> wrote:
> 
> i do have a problem with our freeradius configuration and i have no idea how
> to solve it.
> 
> we do have one realm configured domainname.com which works perfectly. every
> user who wants to authenticate with a different realm is proxied to an
> outside radius. server. the setup works fine.
> 
> we do have some mobile devices who send something like:
> username at company.com@wlan.mnc003.mc
> username at company.com@Verisign...
> .
> .
> 
> we send these requests to our proxy and the proxy sends it back to us,....
> 
> from my understanding i cant solve it with a regex in the proxy.conf, right?
> since the "realm" is just the string after the last @?
> 
> anyone has an idea how i can process such request in my company.com realm?
> inside the realm i strip everything out, so it should work then.
> 
Use some unlang in 'authorize' *before* you call 'suffix' that looks 
like:
----
if (User-Name ~= /^(.*@company.com)@.*/) {
	User-Name := "%{1}"
}
----

As a side note, I currently have in proxy.conf:
----
# blackhole routing
realm myabc.com {
        virtual_server  = auth-reject

        nostrip
}
realm "~\\.3gppnetwork\\.org$" {
        virtual_server  = auth-reject

        nostrip
}
----

...and a virtual server:
----
server auth-reject {
        authorize {
                suffix

                switch "%{Realm}" {
                        case "NULL" {
                                update reply {
                                        Reply-Message := "No Realm"
                                }
                        }

                        # we should not get here
                        case "DEFAULT" {
                                update reply {
                                        Reply-Message := "ERROR"
                                }
                        }

                        # we *really* should not get here
                        case "%{config:local.MY.realm}" {
                                update reply {
                                        Reply-Message := "BIG ERROR"
                                }
                        }

                        case {  
                                update reply {
                                        Reply-Message := "Realm Blackholed"
                                }
                        }
                }

                reject
        }
}
----

I would recommend you reject straight away any double realmed users as 
you will only find yourself later on still having to deal with 
misconfigured kit; pain now means a *lot* less pain later down the road 
in my experience.

Cheers

-- 
Alexander Clouter
.sigmonster says: This Fortune Examined By INSPECTOR NO. 2-14

More information about the Freeradius-Users mailing list