addition to policy.conf

alan buxey A.L.M.Buxey at lboro.ac.uk
Fri Jun 1 20:47:24 CEST 2012


hi,

a little something that I've been meaning to send out for a while. basically, a small
addition to policy.conf (that probably could do with a few little extra additions) that will
allow sites to easily check for NAI 4282 compliance - simply, that a User-Name is valid
for proxying to other locations - a great boon for sites using eduroam , for example, as
it stops end sites filling up the heirarchical proxy system with junk requests....

many sites have a lot of messy rules in place...with this addition to policy.conf all
they need to do is call   check_nai_compliance   in their authorize section and things are nice.


attached (should be all okay for 2.1.13 and 3.x )


alan
-------------- next part --------------
	
	#
	#	Check NAI compliance - RFC 4282
	#
	check_nai_compliance {

		#
		# Reject if username doesn't have an @   e.g. user
		#
		if( User-Name !~ /@/ ) {
			update reply {
				Reply-Message = "missing @ , so no realm"
			}
			reject 
	  	}

		#
		# reject whitespace e.g. user@ site.com
		#
		if (User-Name =~ / /) {
			update reply {
				Reply-Message = "misconfigured client. Username/realm contains whitespace"
			}
			reject
		}

		#
		# reject Multiple @'s   e.g.  user at site.com@site.com
		#
		if(User-Name =~ /@(.+)?@/i ) {
			update reply {
				Reply-Message = "rejected multiple @ in username"
			}
			reject
		}
		
		#
		# reject double dots   e.g. user at site..com
		#
		if (User-Name =~ /\\.\\./ ) {
			update reply {
				Reply-Message = "misconfigured client. Username/realm comtains double dots"
			}
			reject
		}
		
		#
		# must have at least 1 string-dot-string after @  e.g. user at site.com
		#
		if (User-Name !~ /@(.+)\\.(.+)$/)  {
			update reply {
				Reply-Message = "misconfigured client, Realm doesn't have at least one dot seperator"
			}
			reject
		}

		#
		# Realm ends with a dot e.g. user at site.com.
		#
                if (User-Name =~ /\\.$/)  {
                        update reply {
                                Reply-Message = "misconfigured client. Realm ends with a dot"
                        }
                        reject
                }

		#
                # Realm begins with a dot e.g. user at .site.com
                #
                if (User-Name !~ /@\\./)  {
                        update reply {
                                Reply-Message = "misconfigured client. Realm begins with a dot"
                        }
                        reject
                }

        # end of check_nai_compliance		
	}



More information about the Freeradius-Devel mailing list