Ben Carbery <ben.carbery@gmail.com> wrote:
I am using freeradius to proxy eduroam requests. These could be for any number of different realms so I only have a DEFAULT realm configured.
I'm a 'DEFAULT' kinda guy, however there seems to be in the .ac.uk world a push to get people to 'nudge' (using 'Proxy-to-Realm') eduroam authentications and not have a DEFAULT at all....fortuantely FreeRADIUS lets you do things however it suits you. I opted for the 'DEFAULT' approach as I personally like how it fills the 'eduroam' requirement alongside the realm blacklisting.
I now want to reject authentication to one specific realm (my own) but pass all others. The proxy server can't do this for me so I need to do it before proxying. I have been reading all the man pages but can't figure this out..how where is this done?
In my proxy.conf file I have something like: ---- realm auth-reject.virtual { virtual_server = auth-reject } # you *must* reject realm-less 'eduroam' queries, even for your # local users, otherwise you will run into operational issues # when your own users try to roam. If you want more details do # contact me off list. realm NULL { virtual_server = auth-reject nostrip } realm soas.ac.uk { # authhost = LOCAL # not strictly necessary # accthost = LOCAL # not strictly necessary } realm DEFAULT { # snipped our pool definition pool = eduroam nostrip } # blackhole routing realm myabc.com { virtual_server = auth-reject nostrip } realm "~\\.3gppnetwork\\.org$" { virtual_server = auth-reject nostrip } ---- ---- authorize { preprocess suffix # handle blackhole'd (and NULL) realms if (Realm != "soas.ac.uk" && Realm != "DEFAULT") { handled } validate_username .... } ---- Our 'auth-reject' virtual server is: ---- server auth-reject { authorize { suffix switch "%{Realm}" { case "NULL" { update reply { Reply-Message := "No Realm" } } # we should not get here case "DEFAULT" { update reply { Reply-Message := "ERROR" } } # we *really* should not get here case "soas.ac.uk" { update reply { Reply-Message := "BIG ERROR" } } case { update reply { Reply-Message := "Realm Blackholed" } } } reject } } ---- As a side note, 'validate_username' is a policy.conf definition I created to make sure the username looks vaguely sane. I recommend you use it :) ---- # only needs to be close enough to catch unroutable guff # FIXME seems to permit 'space' through, for example 'xwFMNc02QnAbZlQ9wI9tiG@GlobalSign Root CA' validate_username { # HACK remove once 'space' regex bug is fixed if (User-Name =~ /[[:space:]]/) { update reply { Reply-Message := "Invalid User-Name Syntax" } reject } if (User-Name !~ /@/ \ || ( \ User-Name !~ /@.*@/ \ && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \ ) \ ) { ok } else { update reply { Reply-Message := "Invalid User-Name Syntax" } reject } } ---- Once set up, once cooked you simply add more realms to proxy.conf to blackhole and it keeps you main configuration generally rather simple. Cheers -- Alexander Clouter .sigmonster says: Many people are unenthusiastic about their work.