Eduroam & FreeRadius not working so well
Phil Mayers
p.mayers at imperial.ac.uk
Thu Dec 6 11:30:38 CET 2012
On 12/06/2012 10:16 AM, Alan Buxey wrote:
> Hi,
>
>> home_server_pool EDUROAM-FTLR {
>> type = fail-over
>> home_server = proxy1
>> home_server = proxy2
>> }
>
> I would use:
>
> type = client-port-balance
>
>
> to balance between the 2. (that method ensures the EAP goes to one remote server)
>
>> realm DEFAULT {
>> pool = EDUROAM-FTLR
>> nostrip
>> }
>
> hmmmm, this isnt best practice if thats all you have for throwing stuff upstream. woulf
> strongly recommend using unlang to validate that the user has valid realm etc and then
> update the request to use a realm identifier (eg eduroam) and use that in proxy.conf instead -
> thus you are only sending valid users upstream (and not all the random typos and junk)
> as the upstream servers will like you more for that - and wont be dropping requests and messing
> you up.
>
To expand on Alan's statement a bit here - it's possible that users are
associating with your eduroam SSID and sending all kinds of nonsense (I
think the best I've seen is:
<space>user at domain<newline><space>user at domain</newline><repeat 3 times>
...and that the upstream RADIUS servers are not replying, which is
causing you to get these dropouts.
You probably want something like this:
authorize {
if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
# user has a valid-looking realm
update request {
Stripped-User-Name := "%{1}"
Realm = "%{toupper:%{2}}"
}
}
else {
# malformed NAI
update reply {
Reply-Message := "malformed username"
}
reject
}
if (Realm == MY.REALM) {
...
}
else {
update control {
Proxy-To-Realm := DEFAULT
}
}
More information about the Freeradius-Users
mailing list