Eduroam & FreeRadius not working so well

Mike Diggins mike.diggins at mcmaster.ca
Tue Dec 11 04:14:12 CET 2012 

On Sun, 9 Dec 2012, Alan Buxey wrote:

> Hi,
>
>> This looks like something I should be doing but I have no idea where
>> to insert this section. Is it in proxy.conf or somewhere else? And
>
> in the authorize section of your virtual server, straight after the preprocess/suffix/realm
> module calls (ie before any real authorization action)
>
>> With this configuration, I guess I don't need realm's LOCAL or NULL?
>
> correct - you will deal with your LOCAL realm by handling your defined realm,
> with eduroam you dont want to EVER authenticate a user you hasnt provided
> a realm - because , for your own users, they may work fine....when they are at your
> site....they then think/believe their configuration works...and then find it
> doesnt work when they go to another eduroam site...and then they'll blame
> that site, your site or eduroam.   best policy for eduroam is ALWAYS ensure
> a realm is defined on the client


ok, both the default and inner-tunnel, I assume?

I added the section to "authorize", but the DEBUG output indicates the 
regular expression is rejecting a valid user. Is there someone that could 
confirm the RE?

if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
...

[suffix] Looking up realm "domain.ca" for User-Name = "mdiggins at domain.ca"
[suffix] Found realm "DEFAULT"
[suffix] Adding Realm = "DEFAULT"
[suffix] Proxying request from user mdiggins to realm DEFAULT
[suffix] Preparing to proxy authentication request to realm "DEFAULT"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/)
? Evaluating (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) -> 
FALSE
++? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) -> FALSE
++- entering else else {...}
+++[reply] returns noop
+++[reject] returns reject
++- else else returns reject

-Mike

More information about the Freeradius-Users mailing list