Hi Alan, thank you for your help. We finally made it work nicely and we are happy to share it upstream. It's shipped as policy.d/rfc7542 and a "bangpath" realm, and enabled by default for the ABFAB-specific server. https://github.com/FreeRADIUS/freeradius-server/pull/2492 Do you think it would make it for 3.0.18? Best regards, Alejandro
Yep, this definitely worked.
[...] rfc7542_recipe
# Standard RADIUS NAI routing if (!updated) { suffix { updated = 1 noop = reject } } [...]
The only thing we need to make sure about is making sure "rfc7542_recipe" does not change the "updated" status when it does not resolve a realm. Otherwise, we would need to check for the presence of the Realm attribute :(. If fact, that's happening. When "rfc7542_recipe" does not find a Trust Router realm, but resolves a local one (Ie. this is the home IDP for the End User), it does include a Realm attribute but does not change the "update" status. Should it? It is actually updating the Request by adding a Realm to it....
On the proxy: idp3_1 | (18) bangpath: Checking for prefix before "!" idp3_1 | (18) bangpath: Looking up realm "test5.org" for User-Name = "test5.org!@test3.org" idp3_1 | (18) bangpath: Found realm "apc.org%test5.org" idp3_1 | (18) bangpath: Adding Realm = "apc.org%test5.org" idp3_1 | (18) bangpath: Proxying request from user test5.org!@test3.org to realm apc.org%test5.org idp3_1 | (18) bangpath: Preparing to proxy authentication request to realm "apc.org%test5.org" idp3_1 | (18) [bangpath] = updated idp3_1 | (18) } # if (!(&control:RFC7542-Realm-1 =~ /^(test3.org)$/) && (&control:RFC7542-Realm-2 =~ /^(test3.org)$/)) = updated idp3_1 | (18) if ((&control:RFC7542-Realm-1 =~ /^(test3.org)$/) && !(&control:RFC7542-Realm-2 =~ /^(test3.org)$/)) { idp3_1 | (18) if ((&control:RFC7542-Realm-1 =~ /^(test3.org)$/) && !(&control:RFC7542-Realm-2 =~ /^(test3.org)$/)) -> FALSE idp3_1 | (18) update control { idp3_1 | (18) RFC7542-Realm-1 !* ANY idp3_1 | (18) RFC7542-Realm-2 !* ANY idp3_1 | (18) } # update control = noop idp3_1 | (18) } # if (&request:User-Name =~ /([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/) = updated idp3_1 | (18) } # policy rfc7542.authorize = updated idp3_1 | (18) if (!updated) { idp3_1 | (18) if (!updated) -> FALSE idp3_1 | (18) eap: Request is supposed to be proxied to Realm apc.org%test5.org. Not doing EAP. idp3_1 | (18) [eap] = noop idp3_1 | (18) [expiration] = noop idp3_1 | (18) [logintime] = noop idp3_1 | (18) } # authorize = updated
On the IDP: idp5_1 | (11) bangpath: Checking for prefix before "!" idp5_1 | (11) bangpath: Looking up realm "test5.org" for User-Name = "test5.org!@test3.org" idp5_1 | (11) bangpath: Found realm "test5.org" idp5_1 | (11) bangpath: Adding Stripped-User-Name = "@test3.org" idp5_1 | (11) bangpath: Adding Realm = "test5.org" idp5_1 | (11) bangpath: Authentication realm is LOCAL idp5_1 | (11) [bangpath] = ok idp5_1 | (11) } # if ((&control:RFC7542-Realm-1 =~ /^(test5.org)$/) && !(&control:RFC7542-Realm-2 =~ /^(test5.org)$/)) = ok idp5_1 | (11) update control { idp5_1 | (11) RFC7542-Realm-1 !* ANY idp5_1 | (11) RFC7542-Realm-2 !* ANY idp5_1 | (11) } # update control = noop idp5_1 | (11) } # if (&request:User-Name =~ /([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/) = ok idp5_1 | (11) } # policy rfc7542.authorize = ok idp5_1 | (11) if (!updated) { idp5_1 | (11) if (!updated) -> TRUE idp5_1 | (11) if (!updated) { idp5_1 | (11) suffix: Request already has destination realm set. Ignoring idp5_1 | (11) [suffix] = noop idp5_1 | (11) } # if (!updated) = reject idp5_1 | (11) } # authorize = reject
So I had to force the updated status when bangpath is executed. So, within rfc7542_recipe:
[...] # Format: not_local_realm!...@local_realm: Handle with bangpath if (!(&control:RFC7542-Realm-1 =~ /^(${policy.rfc7542_realms})$/) && \ (&control:RFC7542-Realm-2 =~ /^(${policy.rfc7542_realms})$/)) { bangpath updated } [...]
Best,
Thanks
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.