Removing domain name in freeradius

Alexander Clouter alex at digriz.org.uk
Tue Oct 12 19:27:41 CEST 2010


Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>>
>> Currently when users connect to our WLAN they enter their username 
>> thus:- firstname.lastname at mydomain.ox.ac.uk
>>
>> Is there a way I can strip everything after the @ out (ie the domain) 
>> - so they are forced to authenticate against the domain I specify.
> 
> Sure, a couple of different ways:
> 
>  1. Define "mydomain.ox.ac.uk" as a realm in proxy.conf, enable 
> "strip", add the "suffix" module to authorize, update any config to try 
> the Stripped-User-Name attribute first:
> 
> authorize {
>   ...
>   strip
> }
> 
> modules {
>   mschap {
>     ntlm_auth = "... 
> username=%{%{Stripped-User-Name}:-%{mschap:User-Name}}"
>   }
> }
> 
>  2. Write an unlang expression:
> 
> authorize {
>    if (User-Name =~ /^(.*)@(.*)/) {
>      update request {
>        User-Name := "%{1}"
>        Realm := "%{2}"
>      }
>      if (Realm !~ /mydomain\.ox\.ac\.uk/i) {
>        # invalid
>        reject
>      }
>    }
> }
> 
3. slight spin on option 1...
----
authorize {
  suffix

  if (Realm == "DEFAULT") {
    reject
  }

  ...
}
----

In your proxy.conf have something like:
----
realm NULL {
}

realm LOCAL {
}

realm soas.ac.uk {
}

realm DEFAULT {
        pool            = eduroam

        nostrip
}
----

One you are ready for roaming (if that is the direction you are going 
in) just comment out the reject for DEFAULT in authorize.

Later you can do cunning things like add to proxy.conf:
----
# blackhole routing
realm myabc.com {
        nostrip
}
realm "~\\.3gppnetwork\\.org$" {
        nostrip
}
----

and then in authorize have:
----
# handle blackhole'd realms
if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "soas.ac.uk") {
  update reply {
    Reply-Message := "Realm Blackholed"
  }
  reject
}
----

Cheers

-- 
Alexander Clouter
.sigmonster says: This Fortune Examined By INSPECTOR NO. 2-14




More information about the Freeradius-Users mailing list