Example Moonshot Policies
a.cudbardb at freeradius.org
Tue Jul 22 04:34:27 CEST 2014
On 21 Jul 2014, at 21:56, Sam Hartman <hartmans at mit.edu> wrote:
> We've been working with Alan to get some changes related to Moonshot
> (http://www.project-moonshot.org/ ) into FreeRADIUS.
> Thanks to his work, most of our changes are now in the code base.
> There's one change not yet integrated related to the support of a trust
> router for dynamic realm provisioning.
> We're putting together a number of sample policies. In particular:
> * Updates to the channel binding virtual server to do correct matching
> of ABFAB requests information
> * A policy for an ABFAB IDP (home AAA server) to use to verify that
> information supplied by the NAS matches what's expected for that NAS
> according to a database provisioned by the trust router
> * A policy to run on a proxy near the NAS to verify that the NAS is
> claiming the correct identity based on client configuration.
> None of these policies actually depend on the trust router code that
> isn't yet integrated, although most useful configurations where you'd
> want to turn on these policies would require that code.
> we'd like to supply these sample policies to be included.
> For the most part our preference is to give a policy.d file so that it
> can be easily updated.
Agreed, best to group them in a file with their own common prefixes.
> would you prefer that we also contribute commented out code to invoke
> this policy at the right places in sites-available?
No, include example sites-enabled virtual servers to implement the various
moonshot roles. The current default file is too cluttered already.
> Should we contribute a sample database module to demonstrate the
> database we're using Or would you rather us put that in the trust
> router package?
Feel free. It should go in mods-config/sql/<db flavour>/moonshot or
whatever the framework/protocol will be eventually known as.
My preference is for sqlite, because the database can be bootstrapped
using a schema file the first time the server is run.
Most serious sites will probably be running PostgreSQL, so both would
be good if you have time/resources.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Freeradius-Devel