Realm parsing and \r => =0D
Alexander Clouter
alex at digriz.org.uk
Wed Aug 24 10:46:48 CEST 2011
Rich Graves <rgraves at carleton.edu> wrote:
>
> I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1.
> PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam.
>
> Within a day, I had the configuration I wanted, or so I thought.
>
> Empty stanzas for realms user at carleton.edu, ADS\user, and bare
> username get authenticated with mschapv2. Otherwise, regex realm *@*.*
> gets routed to the eduroam upstream radius hierarchy.
>
If you are going 'eduroam' you really need to reject *everything*
eduroam SSID/802.1X related that is not of the form user at realm. If you
permit combinations then you will find users can use 'eduroam' locally
with no problems but then when they go roaming, their workstation does
not tell the visited site the realm (in the form '@example.edu') and so
can only reject it.
The result, very unhappy users.
If you reject *today* NULL, then your helpdesk *have* to configure
people correctly. These are the words from a bitten before eduroam
sysadmin :)
As for your realm fun, this is what we do:
---- templates.conf ----
templates {
# PROXY
eduroam-proxy {
type = auth+acct
port = 1812
require_message_authenticator = yes
status_check = status-server
}
eduroam-proxy6 {
src_ipaddr = ${local.MY.addr.v6}
$template eduroam-proxy
}
eduroam-proxy4 {
src_ipaddr = ${local.MY.addr.v4}
$template eduroam-proxy
}
}
---- proxy.conf ----
## eduroam
# roaming0.ja.net
home_server jrs.0.v6 {
ipv6addr = ${local.jrs.0.addr.v6}
secret = ${local.jrs.0.secret}
$template eduroam-proxy6
}
home_server jrs.0.v4 {
ipaddr = ${local.jrs.0.addr.v4}
secret = ${local.jrs.0.secret}
$template eduroam-proxy4
}
# roaming1.ja.net
home_server jrs.1.v6 {
ipv6addr = ${local.jrs.1.addr.v6}
secret = ${local.jrs.1.secret}
$template eduroam-proxy6
}
home_server jrs.1.v4 {
ipaddr = ${local.jrs.1.addr.v4}
secret = ${local.jrs.1.secret}
$template eduroam-proxy4
}
# roaming2.ja.net
home_server jrs.2.v6 {
ipv6addr = ${local.jrs.2.addr.v6}
secret = ${local.jrs.2.secret}
$template eduroam-proxy6
}
home_server jrs.2.v4 {
ipaddr = ${local.jrs.2.addr.v4}
secret = ${local.jrs.2.secret}
$template eduroam-proxy4
}
home_server_pool eduroam {
type = keyed-balance
home_server = jrs.0.v6
home_server = jrs.0.v4
home_server = jrs.1.v6
home_server = jrs.1.v4
home_server = jrs.2.v6
home_server = jrs.2.v4
}
realm NULL {
}
realm LOCAL {
}
realm soas.ac.uk {
}
realm auth.virtual {
virtual_server = auth
}
realm DEFAULT {
pool = eduroam
nostrip
}
# blackhole routing
realm myabc.com {
nostrip
}
realm "~\\.3gppnetwork\\.org$" {
nostrip
}
----
The virtual server looks vaguely like (for *all* users onsite, the 'our
users visiting elsewhere' is simpler):
----
authorize {
preprocess
suffix
# detail
rewrite.called_station_id
rewrite.calling_station_id
update request {
Operator-Name := "1%{config:local.MY.realm}"
}
eap {
ok = return
}
# Reject Calling-Station-Id-less authentications
if (!(Calling-Station-Id)) {
update reply {
Reply-Message := "No Calling-Station-Id"
}
reject
}
elsif (Calling-Station-Id =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
update control {
Local-MAC-Address := "%{1}%{2}%{3}%{4}%{5}%{6}"
}
}
if (!(User-Name)) {
update reply {
Reply-Message := "No User-Name"
}
reject
}
validate_username
# handle realmless authentications
if ((EAP-Message) && Realm == NULL) {
update reply {
Reply-Message := "No Realm"
}
reject
}
# handle blackhole'd realms
if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "%{config:local.MY.realm}") {
update reply {
Reply-Message := "Realm Blackholed"
}
reject
}
# [snipped local MAC-Auth hooks]
# workaround crappy load-balancing
if (Realm == DEFAULT) {
update control {
Load-Balance-Key := "%{User-Name} %{Calling-Station-Id}"
}
handled
}
Autz-Type Status-Server {
ok
}
}
post-auth {
Post-Auth-Type Reject {
redundant {
sql.dot1x
ok
}
attr_filter.access_reject
eap-has-no-reply-message
# detail
}
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "unauthorised"
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if ((EAP-Message) && !(Ldap-UserDn)) {
cache_ldap-userdn
}
if (Realm == "DEFAULT") {
update reply {
Tunnel-Private-Group-Id := "eduroam"
}
}
# to be removed once we register personal workstations
elsif (Realm == "%{config:local.MY.realm}") {
update reply {
Tunnel-Private-Group-Id := "users-unmanaged"
}
}
if (reply:Tunnel-Private-Group-Id != "unauthorised") {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
redundant {
sql.dot1x
ok
}
attr_filter.soas-auth
eap-has-no-reply-message
}
----
If enough people pester me I might get around to 'generalising' this.
There is already some effort in this space, Arran
Cudbard-Bell(@freeradius.net) used to work in Academentia over in
Rightpondia and put together a slightly different approach (without a
focus around proxy.conf that I use, it's pretty much what the rest of
the .ac.uk sector use I think, I of course have to be different):
http://www.ja.net/services/authentication-and-authorisation/janet-roaming/documentation.html
http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf
"FreeRADIUS v2.0.2 Implementation to support eduroam at the University
of Sussex".
It's all good stuff though. Pick the approach that makes the most sense
to you and more naturally fits your needs. I like priming FreeRADIUS
with the realm->proxy mapping and leaving it to it's devices, others
prefer to explicitly use unlang in authorize{}.
Do contact me off list if you want some help and think this could be
getting off topic; although there are a *lot* of eduroam'ers here on the
list.
Cheers
--
Alexander Clouter
.sigmonster says: DIDI ... is that a MARTIAN name, or, are we in ISRAEL?
More information about the Freeradius-Users
mailing list