"double" realm problem
mr typo
euroregistrar at gmail.com
Tue Oct 27 09:18:31 CET 2009
i was trying to reject those "double" realm.
but i cannot find the right syntax and/or where to put the lines.
i was trying to put this lines in the user file:
DEFAULT User-Name =~ "/^.*@company.com at .*/"
Auth-Type := Reject
that did not work.
when putting:
if (User-Name ~= /^.*@company.com at .*/) {
reject
}
in the server configuration in authorize section, i get a strange error..
i am quite new with configuring freeradius, it would be nice if someone
could give me some real hint how to and where
reject those double @ @
thanks in advance.
-euro
On Wed, Oct 7, 2009 at 5:36 PM, Alexander Clouter <alex at digriz.org.uk>wrote:
> mr typo <euroregistrar at gmail.com> wrote:
> >
> > i do have a problem with our freeradius configuration and i have no idea
> how
> > to solve it.
> >
> > we do have one realm configured domainname.com which works perfectly.
> every
> > user who wants to authenticate with a different realm is proxied to an
> > outside radius. server. the setup works fine.
> >
> > we do have some mobile devices who send something like:
> > username at company.com@wlan.mnc003.mc
> > username at company.com@Verisign...
> > .
> > .
> >
> > we send these requests to our proxy and the proxy sends it back to
> us,....
> >
> > from my understanding i cant solve it with a regex in the proxy.conf,
> right?
> > since the "realm" is just the string after the last @?
> >
> > anyone has an idea how i can process such request in my company.comrealm?
> > inside the realm i strip everything out, so it should work then.
> >
> Use some unlang in 'authorize' *before* you call 'suffix' that looks
> like:
> ----
> if (User-Name ~= /^(.*@company.com)@.*/) {
> User-Name := "%{1}"
> }
> ----
>
> As a side note, I currently have in proxy.conf:
> ----
> # blackhole routing
> realm myabc.com {
> virtual_server = auth-reject
>
> nostrip
> }
> realm "~\\.3gppnetwork\\.org$" {
> virtual_server = auth-reject
>
> nostrip
> }
> ----
>
> ...and a virtual server:
> ----
> server auth-reject {
> authorize {
> suffix
>
> switch "%{Realm}" {
> case "NULL" {
> update reply {
> Reply-Message := "No Realm"
> }
> }
>
> # we should not get here
> case "DEFAULT" {
> update reply {
> Reply-Message := "ERROR"
> }
> }
>
> # we *really* should not get here
> case "%{config:local.MY.realm}" {
> update reply {
> Reply-Message := "BIG ERROR"
> }
> }
>
> case {
> update reply {
> Reply-Message := "Realm Blackholed"
> }
> }
> }
>
> reject
> }
> }
> ----
>
> I would recommend you reject straight away any double realmed users as
> you will only find yourself later on still having to deal with
> misconfigured kit; pain now means a *lot* less pain later down the road
> in my experience.
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: This Fortune Examined By INSPECTOR NO. 2-14
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091027/9a212f19/attachment.html>
More information about the Freeradius-Users
mailing list