Realm parsing and \r => =0D

Alexander Clouter alex at digriz.org.uk
Wed Aug 24 10:46:48 CEST 2011


Rich Graves <rgraves at carleton.edu> wrote:
>
> I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1. 
> PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam.
> 
> Within a day, I had the configuration I wanted, or so I thought.
> 
> Empty stanzas for realms user at carleton.edu, ADS\user, and bare 
> username get authenticated with mschapv2. Otherwise, regex realm *@*.* 
> gets routed to the eduroam upstream radius hierarchy.
>
If you are going 'eduroam' you really need to reject *everything* 
eduroam SSID/802.1X related that is not of the form user at realm.  If you 
permit combinations then you will find users can use 'eduroam' locally 
with no problems but then when they go roaming, their workstation does 
not tell the visited site the realm (in the form '@example.edu') and so 
can only reject it.

The result, very unhappy users.

If you reject *today* NULL, then your helpdesk *have* to configure 
people correctly.  These are the words from a bitten before eduroam 
sysadmin :)
 
As for your realm fun, this is what we do:
---- templates.conf ----
templates {
        # PROXY
        eduroam-proxy {
                type                            = auth+acct
                port                            = 1812
                require_message_authenticator   = yes
                status_check                    = status-server
        }

        eduroam-proxy6 {
                src_ipaddr                      = ${local.MY.addr.v6}

                $template eduroam-proxy
        }
        eduroam-proxy4 {
                src_ipaddr                      = ${local.MY.addr.v4}

                $template eduroam-proxy
        }
}
---- proxy.conf ----
## eduroam
# roaming0.ja.net
home_server jrs.0.v6 {
        ipv6addr        = ${local.jrs.0.addr.v6}
        secret          = ${local.jrs.0.secret}

        $template eduroam-proxy6
}
home_server jrs.0.v4 {
        ipaddr          = ${local.jrs.0.addr.v4}
        secret          = ${local.jrs.0.secret}

        $template eduroam-proxy4
}
# roaming1.ja.net
home_server jrs.1.v6 {
        ipv6addr        = ${local.jrs.1.addr.v6}
        secret          = ${local.jrs.1.secret}

        $template eduroam-proxy6
}
home_server jrs.1.v4 {
        ipaddr          = ${local.jrs.1.addr.v4}
        secret          = ${local.jrs.1.secret}

        $template eduroam-proxy4
}
# roaming2.ja.net
home_server jrs.2.v6 {
        ipv6addr        = ${local.jrs.2.addr.v6}
        secret          = ${local.jrs.2.secret}

        $template eduroam-proxy6
}
home_server jrs.2.v4 {
        ipaddr          = ${local.jrs.2.addr.v4}
        secret          = ${local.jrs.2.secret}

        $template eduroam-proxy4
}

home_server_pool eduroam {
        type            = keyed-balance

        home_server     = jrs.0.v6
        home_server     = jrs.0.v4
        home_server     = jrs.1.v6
        home_server     = jrs.1.v4
        home_server     = jrs.2.v6
        home_server     = jrs.2.v4
}

realm NULL {
}

realm LOCAL {
}

realm soas.ac.uk {
}

realm auth.virtual {
        virtual_server  = auth
}

realm DEFAULT {
        pool            = eduroam

        nostrip
}

# blackhole routing
realm myabc.com {
        nostrip
}
realm "~\\.3gppnetwork\\.org$" {
        nostrip
}
----

The virtual server looks vaguely like (for *all* users onsite, the 'our 
users visiting elsewhere' is simpler):
----
        authorize {
                preprocess
                suffix

		# detail

                rewrite.called_station_id
                rewrite.calling_station_id

                update request {
                        Operator-Name := "1%{config:local.MY.realm}"
                }

                eap {
                        ok = return
                }

                # Reject Calling-Station-Id-less authentications
                if (!(Calling-Station-Id)) {
                        update reply {
                                Reply-Message := "No Calling-Station-Id"
                        }
                        reject
                }
                elsif (Calling-Station-Id =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
                        update control {
                                Local-MAC-Address := "%{1}%{2}%{3}%{4}%{5}%{6}"
                        }
                }

                if (!(User-Name)) {
                        update reply {
                                Reply-Message := "No User-Name"
                        }
                        reject
                }

                validate_username

                # handle realmless authentications
                if ((EAP-Message) && Realm == NULL) {
                        update reply {
                                Reply-Message := "No Realm"
                        }
                        reject
                }

                # handle blackhole'd realms
                if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "%{config:local.MY.realm}") {
                                update reply {
                                        Reply-Message := "Realm Blackholed"
                                }
                                reject
                }

		# [snipped local MAC-Auth hooks]

                # workaround crappy load-balancing
                if (Realm == DEFAULT) {
                        update control {
                                Load-Balance-Key := "%{User-Name} %{Calling-Station-Id}"
                        }
                        handled
                }

                Autz-Type Status-Server {
                        ok
                }
        }

	post-auth {
                Post-Auth-Type Reject {
                        redundant {
                                sql.dot1x
                                ok
                        }

                        attr_filter.access_reject

                        eap-has-no-reply-message

#                       detail
                }

                # defaults
                update reply {
                        Tunnel-Type := VLAN
                        Tunnel-Medium-Type := IEEE-802
                        Tunnel-Private-Group-Id := "unauthorised"

                        Termination-Action := RADIUS-Request
                        Session-Timeout := 300

                        Acct-Interim-Interval := 3600
                }

                if ((EAP-Message) && !(Ldap-UserDn)) {
                        cache_ldap-userdn
                }

                if (Realm == "DEFAULT") {
	                update reply {
        	                Tunnel-Private-Group-Id := "eduroam"
                        }
                }
                # to be removed once we register personal workstations
                elsif (Realm == "%{config:local.MY.realm}") {
                	update reply {
                        	Tunnel-Private-Group-Id := "users-unmanaged"
                        }
                }

                if (reply:Tunnel-Private-Group-Id != "unauthorised") {
                        update reply {
                                # Cisco only support a max of 65535
                                Session-Timeout := 64800
                        }
                }

                redundant {
                        sql.dot1x
                        ok
                }

                attr_filter.soas-auth

                eap-has-no-reply-message
	}
----

If enough people pester me I might get around to 'generalising' this.  
There is already some effort in this space, Arran 
Cudbard-Bell(@freeradius.net) used to work in Academentia over in 
Rightpondia and put together a slightly different approach (without a 
focus around proxy.conf that I use, it's pretty much what the rest of 
the .ac.uk sector use I think, I of course have to be different):

http://www.ja.net/services/authentication-and-authorisation/janet-roaming/documentation.html
http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf

"FreeRADIUS v2.0.2 Implementation to support eduroam at the University 
of Sussex".

It's all good stuff though.  Pick the approach that makes the most sense 
to you and more naturally fits your needs.  I like priming FreeRADIUS 
with the realm->proxy mapping and leaving it to it's devices, others 
prefer to explicitly use unlang in authorize{}.

Do contact me off list if you want some help and think this could be 
getting off topic; although there are a *lot* of eduroam'ers here on the 
list.

Cheers

-- 
Alexander Clouter
.sigmonster says: DIDI ... is that a MARTIAN name, or, are we in ISRAEL?




More information about the Freeradius-Users mailing list