Eduroam with a Local Radius Config?

Alexander Clouter alex at digriz.org.uk
Thu Feb 17 20:50:23 CET 2011


Nathan McDavit-Van Fleet <nmcdavit at alcor.concordia.ca> wrote:
> 
> Currently I am proxying Successfully to Eduroam with the following setup:
> realm concordia.ca {
> }
> 
> realm LOCAL {
>        nostrip
> }
> 
> realm NULL {
>        nostrip
> }
> 
> realm DEFAULT {
>        pool = EDUROAM-FTLR
>        nostrip
> }
> 
> I won't show the pool config for the "DEFAULT" realm. But suffice to say
> that's working. Also, our legacy users who are authenticating with no realm
> are working as well. What isn't working are local connections using our
> local real (user at concordia.ca) and distant AAA requests from Eduroam. The
> Eduroam cookbook provides some configs that appear to be helpful. But
> unfortunately they're so broken I  can't even put them in my configuration.
> 
> What the below configs appear to do is check if they are of realm domain.tld
> and then switch the Proxy-Realm. But the configs are too broken to work.
>>From what I understand at the first "if" is missing a double quote, and the
> second one isn't even evaluating and I can't fix it enough to get the server
> to restart. I have included my fixes, but as I said the preacct if statement
> still does not allow the server to restart after the config is included.
> 
> ORIGINAL
>        authorize {
>          auth_log
>          suffix
>          if (("%{control:Proxy-To-Realm} == "DEFAULT") && (User-Name =~
> /.*@.*.domain.tld$/)) {
>          update control {
>              Proxy-To-Realm := NULL
>          }
>          }
>
'Realm' not 'control:Proxy-To-Realm' (although they probably in effect 
have the same thing).
 
>        preacct {
>          detail
>          suffix
>          if ((Proxy-To-Realm = DEFAULT) && (User-Name =~
> /.*@.*.domain.tld$/))
>          update control {
>              Proxy-To-Realm := NULL
>          }
>        }
> 
> FIXED (???)
>        authorize {
>          auth_log
>          suffix
>          if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
> /.*@.*.domain.tld$/)) {
>
Am I being blind, I'm not seeing any difference here...?

>          update control {
>              Proxy-To-Realm := NULL
>          }
>
For 'eduroam' auths, make sure you from *day one* reject Realm-less 
authentications.  If you do not, your helpdesk *will* make shortcuts, 
and prime laptops that work fine locally, but fail to authenticate when 
roaming as the visited site will know know where to proxy the 
authentication to.

The reason it is not work is that 'Realm'/'control:Proxy-To-Realm' for 
your own users is actually 'concordia.ca' (check the output of 'radiusd 
-X' for hints).  So your logic needs to be more (with sanity checking, 
there is a lot of rubbish out there and that passes through):
----
authorize {
  preprocess

  auth_log
  
  # handy, the '1' is meant to be there
  # N.B. ignore the grumbles from IAS sysadmin, 'crime and punishment'
  update request {
    Operator-Name := "1concordia.ca"
  }

  # Reject Calling-Station-Id-less authentications
  if (!(Calling-Station-Id)) {
    update reply {
      Reply-Message := "No Calling-Station-Id"
    }
    reject
  }

  if (!(User-Name)) {
    update reply {
      Reply-Message := "No User-Name"
    }
    reject
  }

  suffix

  # handle realmless authentications
  if (Realm == NULL) {
    update reply {
      Reply-Message := "No Realm"
    }
    reject
  }

  # handle blackhole'd realms
  if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "concordia.ca") {
    update reply {
      Reply-Message := "Realm Blackholed"
    }
    reject
  }

  if (!(EAP-Message)) {
    update reply {
      Reply-Message := "No EAP-Message"
    }
    reject
  }

  EAP {
    ok = return
  }

  # 'handled' after EAP so we can record what guests are using
  if (Realm == DEFAULT) {
    # workaround crappy load-balancing
    update control {
      Load-Balance-Key := "%{NAS-IPv6-Address} %{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-Id}"
    }
    handled
  }
}
----

-- 
Alexander Clouter
.sigmonster says: I live the way I type; fast, with a lot of mistakes.




More information about the Freeradius-Users mailing list