addition to policy.conf

Alan DeKok aland at deployingradius.com
Mon Jun 4 08:26:14 CEST 2012


Brian Candler wrote:
> But I don't really see the point. Why not simply proxy it to the
> authoritative server, and let that server reply that it's invalid?  Why
> distribute policy about which realms may (or may not) be valid all over the
> place?  Such policy, if it is ever wrong, is likely to lead to
> difficult-to-debug problems.

  As Alan && Stefan pointed out, that's a bad idea.

  When problems are created at the edge of the network, it's best to
stop them there.  Sending them to the core makes it harder for everyone.

> For an example of how this breaks things, look at all those websites which
> validate domains to only .com, .net, .org and so on.  Now that hundreds of
> new TLDs are coming along, those sites will all erroneously reject perfectly
> valid domains.  The DNS is a database, so you may as well just query it, and
> get the additional benefit of rejecting specific non-existent domains.
> 
> The same argument applies to RADIUS proxying IMO.

  Except the regexes that Alan posted don't verify domain *names*.  They
verify realm *format*.  It's like looking for non-ASCII in DNS packets.
 If you see it, it's definitively wrong.  The protocol specifically
forbids it.

  In RADIUS proxying, the realm format is largely email addresses.  Most
other formats have disappeared.  So checking for that, and discarding
*known bad* formats is a good idea.

  Alan DeKok.


More information about the Freeradius-Devel mailing list