On 9/1/20 1:51 PM, Alan DeKok wrote:
On Sep 1, 2020, at 5:19 AM, Arnaud LAURIOU <arnaud.lauriou@renater.fr> wrote:
We have freeRADIUS proxies dedicated to eduroam, version 3.0.21.
Some of our clients are sending us Access-Request ... with their realm. We forward them to their home_server Why?
The only packets you should get from Eduroam are ones for your realm. All other packets should be rejected immediately.
if (Realm != "renate.fr) { reject } Yes but maybe I didn't make myself clear : I'm talking about our .fr federation level eduroam proxies, not our 'renater.fr' RADIUS server.
If they're sending packets for their realm to you, then you have no obligation to be polite. Don't send the packets back. Just reject them. Yes, I tried a solution in pre-proxy section (described in my prevous email) but it's NOK for monitor requests like nagios@<realm>.fr when client and home_server are the same.
Do I need to go further with this solution (e.g. use a specific CLI attribute so that these requests can be handled separately) or is there a completely different way to protect our proxies from loops with FR ? Regards, Arnaud Lauriou