Rejecting auth from a specific realm

Alexander Clouter alex at digriz.org.uk
Wed Nov 25 12:54:30 CET 2009


Ben Carbery <ben.carbery at gmail.com> wrote:
>
> I am using freeradius to proxy eduroam requests. These could be for any
> number of different realms so I only have a DEFAULT realm configured.
>
I'm a 'DEFAULT' kinda guy, however there seems to be in the .ac.uk world 
a push to get people to 'nudge' (using 'Proxy-to-Realm') eduroam 
authentications and not have a DEFAULT at all....fortuantely FreeRADIUS 
lets you do things however it suits you.

I opted for the 'DEFAULT' approach as I personally like how it fills the 
'eduroam' requirement alongside the realm blacklisting.
 
> I now want to reject authentication to one specific realm (my own) but pass
> all others. The proxy server can't do this for me so I need to do it before
> proxying. I have been reading all the man pages but can't figure this
> out..how where is this done?
> 
In my proxy.conf file I have something like:
----
realm auth-reject.virtual {
        virtual_server  = auth-reject
}

# you *must* reject realm-less 'eduroam' queries, even for your
# local users, otherwise you will run into operational issues
# when your own users try to roam.  If you want more details do 
# contact me off list.
realm NULL {
	virtual_server  = auth-reject

	nostrip
}

realm soas.ac.uk {
#      authhost = LOCAL      # not strictly necessary
#      accthost = LOCAL      # not strictly necessary
}

realm DEFAULT {
	# snipped our pool definition
        pool            = eduroam

        nostrip
}

# blackhole routing
realm myabc.com {
        virtual_server  = auth-reject

        nostrip
}
realm "~\\.3gppnetwork\\.org$" {
        virtual_server  = auth-reject

        nostrip
}
----

----
authorize {
	preprocess

	suffix

        # handle blackhole'd (and NULL) realms
        if (Realm != "soas.ac.uk" && Realm != "DEFAULT") {
                handled
        }

        validate_username

	....
}
----

Our 'auth-reject' virtual server is:
----
server auth-reject {
        authorize {
                suffix

                switch "%{Realm}" {
                        case "NULL" {
                                update reply {
                                        Reply-Message := "No Realm"
                                }
                        }

                        # we should not get here
                        case "DEFAULT" {
                                update reply {
                                        Reply-Message := "ERROR"
                                }
                        }

                        # we *really* should not get here
                        case "soas.ac.uk" {
                                update reply {
                                        Reply-Message := "BIG ERROR"
                                }
                        }

                        case {
                                update reply {
                                        Reply-Message := "Realm Blackholed"
                                }
                        }
                }

                reject
        }
}
----

As a side note, 'validate_username' is a policy.conf definition I 
created to make sure the username looks vaguely sane.  I recommend you 
use it :)
----
# only needs to be close enough to catch unroutable guff
# FIXME seems to permit 'space' through, for example 'xwFMNc02QnAbZlQ9wI9tiG at GlobalSign Root CA'
validate_username {
        # HACK remove once 'space' regex bug is fixed
        if (User-Name =~ /[[:space:]]/) {
                update reply {
                        Reply-Message := "Invalid User-Name Syntax"
                }
                reject
        }

        if (User-Name !~ /@/ \
                        || ( \
                               User-Name !~ /@.*@/ \
                               && User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
                        ) \
        ) {
                ok
        }
        else {
                update reply {
                        Reply-Message := "Invalid User-Name Syntax"
                }
                reject
        }
}
----

Once set up, once cooked you simply add more realms to proxy.conf to 
blackhole and it keeps you main configuration generally rather simple.

Cheers

-- 
Alexander Clouter
.sigmonster says: Many people are unenthusiastic about their work.




More information about the Freeradius-Users mailing list