Rejecting realms based on calling client
Hello, I have two clients that proxy access requests to me. The realm varies, but the format is always userid@realm.whatever<mailto:userid@realm.whatever> Is there a way that I can deny a specific realm when an access request is received from a specific client? I tried adding something to policy.conf but I couldn't get the syntax right: #Prevent secretrealm from logging in off-campus remote_secret_reject if ("%{Realm}" == "secretrealm.ca") && ((Client-Shortname == "proxy-client1") || (Client-Shortname == "proxy-client2"))) { reject } Is there a different way that I should be doing this? Thanks, Dave Dave Aldwinckle Network Support Specialist Information Systems and Technology Phone: (519)-888-4567 ext. 31145 E-Mail: daldwinc@uwaterloo.ca<mailto:daldwinc@uwaterloo.ca>
David Aldwinckle wrote:
Is there a way that I can deny a specific realm when an access request is received from a specific client?
Yes.
I tried adding something to policy.conf but I couldn't get the syntax right:
So... what happened? Did you get an error? Is it a secret?
#Prevent secretrealm from logging in off-campus remote_secret_reject if ("%{Realm}" == "secretrealm.ca") && ((Client-Shortname == "proxy-client1") || (Client-Shortname == "proxy-client2"))) { reject }
Is there a different way that I should be doing this?
You can do it via a policy. But you have to get the syntax right. See "man unlang" for documentation on the syntax. See the policy.conf file for examples of working policies. Alan DeKok.
Hi Alan, Thanks for your response. Initially FreeRadius would not start and I did get an error indicating that the "remote_secret_reject" module failed to load. There was no reason given even with -XXX. I found since then that I was missing a brace. Now I can get FreeRadius to start. I still seem to be missing something though, since my policy does not work. Here it is: remote_secret_reject { if ((Realm == "secret.campus.ca") && ((Client-Shortname == "proxy1.net") || (Client-Shortname == "proxy2.net"))) { reject } } In sites-enabled/default: authorize { Š remote_secret_reject Š } Here is the log: Aug 15 09:02:33 radius1 radiusd[3408]: Login OK: [confS13-150@secret.campus.ca] (from client proxy1.net port 44721 cli 11-22-33-44-55-66 via TLS tunnel) Aug 15 09:02:34 radius1 radiusd[3408]: Login OK: [confS13-150@secret.campus.ca] (from client proxy1.net port 44721 cli 11-22-33-44-55-66) I have a feeling that the solution is painfully obvious but I'm just not seeing it. Thanks, Dave Aldwinckle On 2013-08-13 11:22 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
David Aldwinckle wrote:
Is there a way that I can deny a specific realm when an access request is received from a specific client?
Yes.
I tried adding something to policy.conf but I couldn't get the syntax right:
So... what happened? Did you get an error? Is it a secret?
#Prevent secretrealm from logging in off-campus remote_secret_reject if ("%{Realm}" == "secretrealm.ca") && ((Client-Shortname == "proxy-client1") || (Client-Shortname == "proxy-client2"))) { reject }
Is there a different way that I should be doing this?
You can do it via a policy. But you have to get the syntax right. See "man unlang" for documentation on the syntax. See the policy.conf file for examples of working policies.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Aldwinckle wrote:
Initially FreeRadius would not start and I did get an error indicating that the "remote_secret_reject" module failed to load. There was no reason given even with -XXX. I found since then that I was missing a brace.
Now I can get FreeRadius to start. I still seem to be missing something though, since my policy does not work.
See the FAQ for "it doesn't work". Post useful messages, or you will be ignored. Alan DeKok.
Hi,
Initially FreeRadius would not start and I did get an error indicating that the "remote_secret_reject" module failed to load. There was no reason given even with -XXX. I found since then that I was missing a brace.
Now I can get FreeRadius to start. I still seem to be missing something though, since my policy does not work. Here it is:
remote_secret_reject { if ((Realm == "secret.campus.ca") && ((Client-Shortname == "proxy1.net") || (Client-Shortname == "proxy2.net"))) { reject } }
radiusd -X it will show the logic, the variables and the result. you can then see why things arent working alan
Sigh. I broke the cardinal rule of the list _again_. I'Ll grab a full debug log now. Sorry for the spam. Dave Aldwinckle On 2013-08-13 11:22 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
David Aldwinckle wrote:
Is there a way that I can deny a specific realm when an access request is received from a specific client?
Yes.
I tried adding something to policy.conf but I couldn't get the syntax right:
So... what happened? Did you get an error? Is it a secret?
#Prevent secretrealm from logging in off-campus remote_secret_reject if ("%{Realm}" == "secretrealm.ca") && ((Client-Shortname == "proxy-client1") || (Client-Shortname == "proxy-client2"))) { reject }
Is there a different way that I should be doing this?
You can do it via a policy. But you have to get the syntax right. See "man unlang" for documentation on the syntax. See the policy.conf file for examples of working policies.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
David Aldwinckle