Eduroam & FreeRadius not working so well
Mike Diggins
mike.diggins at mcmaster.ca
Sun Dec 9 21:11:02 CET 2012
On Thu, 6 Dec 2012, Phil Mayers wrote:
> On 12/06/2012 10:16 AM, Alan Buxey wrote:
>> Hi,
>>
>>> home_server_pool EDUROAM-FTLR {
>>> type = fail-over
>>> home_server = proxy1
>>> home_server = proxy2
>>> }
>>
>> I would use:
>>
>> type = client-port-balance
>>
>>
>> to balance between the 2. (that method ensures the EAP goes to one remote
>> server)
>>
>>> realm DEFAULT {
>>> pool = EDUROAM-FTLR
>>> nostrip
>>> }
>>
>> hmmmm, this isnt best practice if thats all you have for throwing stuff
>> upstream. woulf
>> strongly recommend using unlang to validate that the user has valid realm
>> etc and then
>> update the request to use a realm identifier (eg eduroam) and use that in
>> proxy.conf instead -
>> thus you are only sending valid users upstream (and not all the random
>> typos and junk)
>> as the upstream servers will like you more for that - and wont be dropping
>> requests and messing
>> you up.
>>
>
> To expand on Alan's statement a bit here - it's possible that users are
> associating with your eduroam SSID and sending all kinds of nonsense (I think
> the best I've seen is:
>
> <space>user at domain<newline><space>user at domain</newline><repeat 3 times>
>
> ...and that the upstream RADIUS servers are not replying, which is causing
> you to get these dropouts.
>
> You probably want something like this:
>
> authorize {
> if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
> # user has a valid-looking realm
> update request {
> Stripped-User-Name := "%{1}"
> Realm = "%{toupper:%{2}}"
> }
> }
> else {
> # malformed NAI
> update reply {
> Reply-Message := "malformed username"
> }
> reject
> }
>
> if (Realm == MY.REALM) {
> ...
> }
> else {
> update control {
> Proxy-To-Realm := DEFAULT
> }
> }
>
This looks like something I should be doing but I have no idea where to
insert this section. Is it in proxy.conf or somewhere else? And that last
section for my own realm, would it look like this (you're converting the
Realm to upper case, right?)
if (Realm == MY.REALM) {
update control {
Proxy-To-Realm := MY.REALM
}
}
else {
update control {
Proxy-To-Realm := DEFAULT
}
}
With this configuration, I guess I don't need realm's LOCAL or NULL?
-Mike
More information about the Freeradius-Users
mailing list