hi,
Yes, I tried a solution in pre-proxy section (described in my prevous email) but it's NOK for monitor requests like nagios@<realm>.fr when client and home_server are the same.
are they trying to monitor themselves via the national roaming proxies?
The simplest way is perhaps to just add a vendor-specific attribute. If you see a packet without that VSA, you forward it. If you see a packet with that VSA, you know it's looped, and you reject it.
+1 for this - its how we dealt with initial loop prevention when moving to RADSEC . i think theres an eduroam recipe for freeradius lying around on the GÉANT confluence wiki somewhere
Monitoring packets shouldn't contain EAP-Message, so the above rule should catch only EAP authentication requests.
well, all non EAP should be blocked incoming at national proxy level anyway so monitoring should be an EAP method just like real clients... alan