Example Moonshot Policies

Sam Hartman hartmans at mit.edu
Tue Jul 22 03:56:18 CEST 2014


Hi.

We've been working with Alan to get some changes related to Moonshot
(http://www.project-moonshot.org/ ) into FreeRADIUS.
Thanks to his work, most of our changes are now in the code base.

There's one change not yet integrated related to the  support of a trust
router for dynamic realm provisioning.

We're putting together a number of sample policies.  In particular:

* Updates to the channel binding virtual server to do correct matching
  of ABFAB requests information

* A policy for an ABFAB IDP (home AAA server) to use to verify  that
  information supplied by the NAS matches what's expected for that NAS
  according to a database provisioned by the trust router

* A policy to run on a proxy near the NAS to verify that the NAS is
  claiming the correct identity based on client configuration.

None of these policies actually depend on the trust router code that
isn't yet integrated, although most useful configurations where you'd
want to turn on these policies would require that code.

we'd like to supply these sample policies to be included.
For the most part our preference is to give a policy.d file so that it
can be easily updated.

would you prefer that we also contribute commented out code to invoke
this policy at the right places in sites-available?

Should we contribute a sample database module to demonstrate the
database we're using  Or would you rather us put that in the trust
router package?


Thanks,

--Sam


More information about the Freeradius-Devel mailing list