Set up /dev/null (no auth) proxy server on NULL realm
Hello folks, I use freeradius 3.0.4 on CentOS 7.2 (RPM) And I want to set up /dev/null (without auth) proxy server on NULL realm. Now, I set up my proxy.conf as follow. ----- realm NULL { authhost = 127.0.0.1:1645 accthost = 127.0.0.1:1646 secret = dummy } ----- No service exist in 127.0.0.1:1645, 1646. When user try to auth without realm (NULL realm), all authentication going to fail. I have some question. 1) Is my setting correct ? 2) Is there a way to set the timeout? (I want to set timeout to 0) 3) Any other advice? Best regards,
Hi,
I use freeradius 3.0.4 on CentOS 7.2 (RPM) And I want to set up /dev/null (without auth) proxy server on NULL realm.
Now, I set up my proxy.conf as follow.
----- realm NULL { authhost = 127.0.0.1:1645 accthost = 127.0.0.1:1646 secret = dummy } -----
No service exist in 127.0.0.1:1645, 1646.
oh dear.
When user try to auth without realm (NULL realm), all authentication going to fail.
not really...it'll be worse that that.
I have some question. 1) Is my setting correct ? 2) Is there a way to set the timeout? (I want to set timeout to 0) 3) Any other advice?
what you will get is a server trying to proxy a request off to localhost port 1645/1646..which wont respond...will get marked as dead.... you'll get huge backups of failures and intransit proxy requests reattempted etc and leading to a final failure of your otherwise okay system. if you want to just fail anyone trying to login with no realm, then simply use unlang to reject them! eg, in authorise section of your server if (%{User-Name} !~ /@/ ) { reject } alan
Hello alan, Thank you for your reply. Sorry for lack of information. Instead of failing all users' authentication, we want to fail only in the case of NULL realm. DEFAULT realm will authenticate with a real authentication server. Only in the case of NULL realm, please tell me if there is a best practice to forcibly fail. Best, regards! 2016-12-05 19:00 GMT+09:00 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
I use freeradius 3.0.4 on CentOS 7.2 (RPM) And I want to set up /dev/null (without auth) proxy server on NULL realm.
Now, I set up my proxy.conf as follow.
----- realm NULL { authhost = 127.0.0.1:1645 accthost = 127.0.0.1:1646 secret = dummy } -----
No service exist in 127.0.0.1:1645, 1646.
oh dear.
When user try to auth without realm (NULL realm), all authentication going to fail.
not really...it'll be worse that that.
I have some question. 1) Is my setting correct ? 2) Is there a way to set the timeout? (I want to set timeout to 0) 3) Any other advice?
what you will get is a server trying to proxy a request off to localhost port 1645/1646..which wont respond...will get marked as dead.... you'll get huge backups of failures and intransit proxy requests reattempted etc and leading to a final failure of your otherwise okay system.
if you want to just fail anyone trying to login with no realm, then simply use unlang to reject them! eg, in authorise section of your server
if (%{User-Name} !~ /@/ ) { reject }
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hi,
Instead of failing all users' authentication, we want to fail only in the case of NULL realm. DEFAULT realm will authenticate with a real authentication server.
NULL realm is no realm. thus you check with unlang as to whether is a realm. my previous answer already did that. please stop thkining about DEFALT and NULL anyway - those things are going - think instead of what the realm looks like, what format it is and how you want it handled (you shouldnt be using DEFAULT either ;-) ) alan
Hello alan, Thank you for your polite answer. I will explain the background of the question. My proxy.conf as follow. ----- realm "~^subdomain\.domain\.com$" { authhost = LOCAL accthost = LOCAL } realm "~^(.+\.)?domain\.com$" { authhost = 127.0.0.1:1645 accthost = 127.0.0.1:1646 secret = dummy } home_server server1 { ... } home_server server2 { ... } home_server_pool server { type = fail-over home_server = server1 home_server = server2 } realm NULL { authhost = 127.0.0.1:1645 accthost = 127.0.0.1:1646 secret = dummy } realm DEFAULT { pool = server nostrip } ----- Authenticate the user only when subdomain is attached. In case of domain without subdomain, if domain.com doesnot exist, I want to fail authentication. In this case, what do you think? Best regards, 2016-12-05 20:48 GMT+09:00 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
Instead of failing all users' authentication, we want to fail only in the case of NULL realm. DEFAULT realm will authenticate with a real authentication server.
NULL realm is no realm. thus you check with unlang as to whether is a realm.
my previous answer already did that.
please stop thkining about DEFALT and NULL anyway - those things are going - think instead of what the realm looks like, what format it is and how you want it handled (you shouldnt be using DEFAULT either ;-) )
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Seiichirou Hiraoka