I am using freeradius to proxy eduroam requests. These could be for any number of different realms so I only have a DEFAULT realm configured. I now want to reject authentication to one specific realm (my own) but pass all others. The proxy server can't do this for me so I need to do it before proxying. I have been reading all the man pages but can't figure this out..how where is this done? B
Sorry if I mistaken and sorry for my english. I think you can use one of the next two options. Correct me if I'm wrong. OPTION A You can use unlang doing something like that: ### /etc/freeradius/proxy.conf realm your.realm { # authhost = LOCAL # not strictly necessary # accthost = LOCAL # not strictly necessary # nostrip } ### /etc/freeradius/sites-enable/default authorize { . . . suffix if ("%{Realm}" == /your\.realm$/){ update control { Auth-Type = Reject } } OPTION B Using hints and users files: ### /etc/freeradius/hints DEFAULT Suffix == "your.realm" Hint = "MYUSERS", ### /etc/freeradius/users DEFAULT Hint == "MYUSERS", Auth-Type := RejectB ____________________ Ana Gallardo Gómez ____________________
Tried option A , but I get a syntax error: Wed Nov 25 10:14:26 2009 : Error: /etc/raddb/radiusd.conf[1829]: Line is not in 'attribute = value' format Wed Nov 25 10:14:26 2009 : Error: Errors reading radiusd.conf This matches the 'if' statement.
Tried option A , but I get a syntax error:
Wed Nov 25 10:14:26 2009 : Error: /etc/raddb/radiusd.conf[1829]: Line is not in 'attribute = value' format Wed Nov 25 10:14:26 2009 : Error: Errors reading radiusd.conf
This matches the 'if' statement.
And how does your if statement look like? It should be something like: if(Realm == "whatever") { ... } Ivan Kalik
And how does your if statement look like? It should be something like:
Looks pretty much exactly like Ana's email except I've substituted 'your' and 'realm'
if ("%{Realm}" == /your\.realm$/) { update control { Auth-Type = Reject } }
http://wiki.freeradius.org/Operators I am not sure what are you trying to do. If you are trying to match regex then use a proper operator. And if you are trying to do an exact match than right side should be a string not regex. And use just "Realm" on the left. Ivan Kalik
All I am trying to do is reject auth requests from a specific realm. http://wiki.freeradius.org/Operators
I am not sure what are you trying to do. If you are trying to match regex then use a proper operator. And if you are trying to do an exact match than right side should be a string not regex. And use just "Realm" on the left.
So something like? This gives the same error.
if (Realm == your.realm) { update control { Auth-Type = Reject } } Where is the syntax for flow control like 'if' documented?
All I am trying to do is reject auth requests from a specific realm.
http://wiki.freeradius.org/Operators
I am not sure what are you trying to do. If you are trying to match regex then use a proper operator. And if you are trying to do an exact match than right side should be a string not regex. And use just "Realm" on the left.
So something like? This gives the same error.
if (Realm == your.realm) { update control { Auth-Type = Reject } }
Where is the syntax for flow control like 'if' documented?
man unlang Ivan Kalik
Sorry, if (Realm == 'your.realm') { update control { Auth-Type = Reject } } ____________________ Ana Gallardo Gómez ____________________
Ben Carbery <ben.carbery@gmail.com> wrote:
I am using freeradius to proxy eduroam requests. These could be for any number of different realms so I only have a DEFAULT realm configured.
I'm a 'DEFAULT' kinda guy, however there seems to be in the .ac.uk world a push to get people to 'nudge' (using 'Proxy-to-Realm') eduroam authentications and not have a DEFAULT at all....fortuantely FreeRADIUS lets you do things however it suits you. I opted for the 'DEFAULT' approach as I personally like how it fills the 'eduroam' requirement alongside the realm blacklisting.
I now want to reject authentication to one specific realm (my own) but pass all others. The proxy server can't do this for me so I need to do it before proxying. I have been reading all the man pages but can't figure this out..how where is this done?
In my proxy.conf file I have something like: ---- realm auth-reject.virtual { virtual_server = auth-reject } # you *must* reject realm-less 'eduroam' queries, even for your # local users, otherwise you will run into operational issues # when your own users try to roam. If you want more details do # contact me off list. realm NULL { virtual_server = auth-reject nostrip } realm soas.ac.uk { # authhost = LOCAL # not strictly necessary # accthost = LOCAL # not strictly necessary } realm DEFAULT { # snipped our pool definition pool = eduroam nostrip } # blackhole routing realm myabc.com { virtual_server = auth-reject nostrip } realm "~\\.3gppnetwork\\.org$" { virtual_server = auth-reject nostrip } ---- ---- authorize { preprocess suffix # handle blackhole'd (and NULL) realms if (Realm != "soas.ac.uk" && Realm != "DEFAULT") { handled } validate_username .... } ---- Our 'auth-reject' virtual server is: ---- server auth-reject { authorize { suffix switch "%{Realm}" { case "NULL" { update reply { Reply-Message := "No Realm" } } # we should not get here case "DEFAULT" { update reply { Reply-Message := "ERROR" } } # we *really* should not get here case "soas.ac.uk" { update reply { Reply-Message := "BIG ERROR" } } case { update reply { Reply-Message := "Realm Blackholed" } } } reject } } ---- As a side note, 'validate_username' is a policy.conf definition I created to make sure the username looks vaguely sane. I recommend you use it :) ---- # only needs to be close enough to catch unroutable guff # FIXME seems to permit 'space' through, for example 'xwFMNc02QnAbZlQ9wI9tiG@GlobalSign Root CA' validate_username { # HACK remove once 'space' regex bug is fixed if (User-Name =~ /[[:space:]]/) { update reply { Reply-Message := "Invalid User-Name Syntax" } reject } if (User-Name !~ /@/ \ || ( \ User-Name !~ /@.*@/ \ && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \ ) \ ) { ok } else { update reply { Reply-Message := "Invalid User-Name Syntax" } reject } } ---- Once set up, once cooked you simply add more realms to proxy.conf to blackhole and it keeps you main configuration generally rather simple. Cheers -- Alexander Clouter .sigmonster says: Many people are unenthusiastic about their work.
participants (4)
-
Alexander Clouter -
Ana Gallardo -
Ben Carbery -
tnt@kalik.net