"Internal sanity check failed" After adding second Home Server
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Tue Feb 28 12:05:40 CET 2012
Hi,
> Thank you very much! The problem is solved!
I note you are usiong the DEFAULT realm for sending things upstream.
as a federation operator this concerns me - as it means all kinds of junk gets
sent upstream for the remote proxy to deal with. I would strongly advise that you
rename that realm to eg EDUROAM and then in the authorise section of the server
add some unlang to verify the user-name is legitimate and , if it is,
update control {
Proxy-To-Realm := "EDUROAM"
}
update request {
Realm := "EDUROAM"
}
eg. as a rough , crude example
if ("%{User-Name}" =~ /@.*\\s$/i ) {
update reply {
Reply-Message = "misconfigured realm ending in whitespace"
}
reject
}
if("%{User-Name}" =~ /@(.+)?@/i ) {
update reply {
Reply-Message = "rejected mutliple @ in username"
}
reject
}
if ("%{User-Name}" =~ /3gppnetwork\\.org$/i ) {
reject
}
if ("%{User-Name}" =~ /myabc\\.com$/i ) {
reject
}
if("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
if(!"%{2}" || ("%{2}" =~ /^your.realm$/i) ) {
update request {
Realm := "local"
}
if(!"%{2}" && ("%{User-Name}" =~ /^@/) && ("%{User-Name}" != "@your.realm") ) {
update control {
Proxy-To-Realm := "EDUROAM"
}
update request {
Realm := "EDUROAM"
}
}
}
}
alan
More information about the Freeradius-Users
mailing list