Rejecting auth from a specific realm
Alexander Clouter
alex at digriz.org.uk
Wed Nov 25 12:54:30 CET 2009
Ben Carbery <ben.carbery at gmail.com> wrote:
>
> I am using freeradius to proxy eduroam requests. These could be for any
> number of different realms so I only have a DEFAULT realm configured.
>
I'm a 'DEFAULT' kinda guy, however there seems to be in the .ac.uk world
a push to get people to 'nudge' (using 'Proxy-to-Realm') eduroam
authentications and not have a DEFAULT at all....fortuantely FreeRADIUS
lets you do things however it suits you.
I opted for the 'DEFAULT' approach as I personally like how it fills the
'eduroam' requirement alongside the realm blacklisting.
> I now want to reject authentication to one specific realm (my own) but pass
> all others. The proxy server can't do this for me so I need to do it before
> proxying. I have been reading all the man pages but can't figure this
> out..how where is this done?
>
In my proxy.conf file I have something like:
----
realm auth-reject.virtual {
virtual_server = auth-reject
}
# you *must* reject realm-less 'eduroam' queries, even for your
# local users, otherwise you will run into operational issues
# when your own users try to roam. If you want more details do
# contact me off list.
realm NULL {
virtual_server = auth-reject
nostrip
}
realm soas.ac.uk {
# authhost = LOCAL # not strictly necessary
# accthost = LOCAL # not strictly necessary
}
realm DEFAULT {
# snipped our pool definition
pool = eduroam
nostrip
}
# blackhole routing
realm myabc.com {
virtual_server = auth-reject
nostrip
}
realm "~\\.3gppnetwork\\.org$" {
virtual_server = auth-reject
nostrip
}
----
----
authorize {
preprocess
suffix
# handle blackhole'd (and NULL) realms
if (Realm != "soas.ac.uk" && Realm != "DEFAULT") {
handled
}
validate_username
....
}
----
Our 'auth-reject' virtual server is:
----
server auth-reject {
authorize {
suffix
switch "%{Realm}" {
case "NULL" {
update reply {
Reply-Message := "No Realm"
}
}
# we should not get here
case "DEFAULT" {
update reply {
Reply-Message := "ERROR"
}
}
# we *really* should not get here
case "soas.ac.uk" {
update reply {
Reply-Message := "BIG ERROR"
}
}
case {
update reply {
Reply-Message := "Realm Blackholed"
}
}
}
reject
}
}
----
As a side note, 'validate_username' is a policy.conf definition I
created to make sure the username looks vaguely sane. I recommend you
use it :)
----
# only needs to be close enough to catch unroutable guff
# FIXME seems to permit 'space' through, for example 'xwFMNc02QnAbZlQ9wI9tiG at GlobalSign Root CA'
validate_username {
# HACK remove once 'space' regex bug is fixed
if (User-Name =~ /[[:space:]]/) {
update reply {
Reply-Message := "Invalid User-Name Syntax"
}
reject
}
if (User-Name !~ /@/ \
|| ( \
User-Name !~ /@.*@/ \
&& User-Name =~ /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
) \
) {
ok
}
else {
update reply {
Reply-Message := "Invalid User-Name Syntax"
}
reject
}
}
----
Once set up, once cooked you simply add more realms to proxy.conf to
blackhole and it keeps you main configuration generally rather simple.
Cheers
--
Alexander Clouter
.sigmonster says: Many people are unenthusiastic about their work.
More information about the Freeradius-Users
mailing list