Eduroam with a Local Radius Config?

Alexander Clouter alex at digriz.org.uk
Thu Feb 17 20:34:14 CET 2011


Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> 
> I would say one thing, do NOT use DEFAULT (in fact, dont EVER use it 
> ...always have policies to deal with everything) - use unlang to set 
> the realm - local, or 'eduroam' and then only have those entries in 
> proxy.conf
>
...I would say *do* use DEFAULT...so there. :)

My thinking is that there is no difference in effect if your eduroam 
unlang policy sends everything it does not know about upstream so why 
not just reuse the built in FreeRADIUS stuff that does the same.

I guess it all depends on how you prefer to think about your packet 
flow.  I have the following in my proxy.conf file:
----
realm NULL {
}

realm LOCAL {
}

realm soas.ac.uk {
}

realm DEFAULT {
        pool            = eduroam

        nostrip
}

# blackhole routing
realm myabc.com {
        nostrip
}
realm "~\\.3gppnetwork\\.org$" {
        nostrip
}
----

Then in my authorize section I use:
----
# handle realmless authentications
if ((EAP-Message) && Realm == NULL) {
  update reply {
    Reply-Message := "No Realm"
  }
  reject
}

# handle blackhole'd realms
if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "soas.ac.uk") {
  update reply {
    Reply-Message := "Realm Blackholed"
  }
  reject
}
----

For me, it means blackholing domains is a lot more straight forward and 
the packet flow is more 'natural' (as you are not 'forcing' a proxying).

However, this parses in my brain, does not mean it will parse in anyone 
elses :)

Cheers

-- 
Alexander Clouter
.sigmonster says: If you knew what to say next, would you say it?




More information about the Freeradius-Users mailing list