Altering identity

Sven Hartge sven at svenhartge.de
Thu Aug 15 07:13:01 CEST 2019


On 15.08.19 03:24, Alan DeKok wrote:

>   What you should be doing is:
> 
> * all users log in with a non-empty outer identity.
> * *your* users log in with outer identity of "@my.domain.tld"
> * the FreeRADIUS configuration has that domain as a local one
> * everything else gets proxied to eduroam
> 
>   A long and detailed guide is in the Wiki: https://wiki.freeradius.org/guide/eduroam

If I may add, as an University admin having to deal with foreign
(meaning not from my University) users:

For the love of $deity, enforce the existence of a realm in the Eduroam
SSID for every user, even your local ones.

I really really really hate all the users from other universities who
try to log in to our Eduroam SSID using only "username" instead of
"username at uni.ver.sity", causing unneccesary chatter and rejects from
the local RADIUS servers.

This additionally serves the purpose of ensuring that your *own* users
have a realm configured, so their configuration continues to work in
foreign Eduroam networks.

Please, don't allow just "username" for your local users to work in your
Eduroam, you will create a heap of problems for you and your users down
the line.

Believe me, I was down that line and it was a real mess to clean up.

Grüße,
Sven.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190815/6f2b45ce/attachment-0001.sig>


More information about the Freeradius-Users mailing list