On Sun, 9 Dec 2012, Alan Buxey wrote:
Hi,
This looks like something I should be doing but I have no idea where to insert this section. Is it in proxy.conf or somewhere else? And
in the authorize section of your virtual server, straight after the preprocess/suffix/realm module calls (ie before any real authorization action)
With this configuration, I guess I don't need realm's LOCAL or NULL?
correct - you will deal with your LOCAL realm by handling your defined realm, with eduroam you dont want to EVER authenticate a user you hasnt provided a realm - because , for your own users, they may work fine....when they are at your site....they then think/believe their configuration works...and then find it doesnt work when they go to another eduroam site...and then they'll blame that site, your site or eduroam. best policy for eduroam is ALWAYS ensure a realm is defined on the client
ok, both the default and inner-tunnel, I assume? I added the section to "authorize", but the DEBUG output indicates the regular expression is rejecting a valid user. Is there someone that could confirm the RE? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) { ... [suffix] Looking up realm "domain.ca" for User-Name = "mdiggins@domain.ca" [suffix] Found realm "DEFAULT" [suffix] Adding Realm = "DEFAULT" [suffix] Proxying request from user mdiggins to realm DEFAULT [suffix] Preparing to proxy authentication request to realm "DEFAULT" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop ++? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) ? Evaluating (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) -> FALSE ++? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) -> FALSE ++- entering else else {...} +++[reply] returns noop +++[reject] returns reject ++- else else returns reject -Mike