Rejecting realms based on calling client

David Aldwinckle daldwinc at uwaterloo.ca
Thu Aug 15 15:17:17 CEST 2013


Hi Alan,

Thanks for your response.

Initially FreeRadius would not start and I did get an error indicating
that the "remote_secret_reject" module failed to load. There was no reason
given even with -XXX. I found since then that I was missing a brace.

Now I can get FreeRadius to start. I still seem to be missing something
though, since my policy does not work. Here it is:

remote_secret_reject {
	if ((Realm == "secret.campus.ca") && ((Client-Shortname == "proxy1.net")
|| (Client-Shortname == "proxy2.net"))) {
		reject
	}
        }


In sites-enabled/default:

authorize {
	Š
	remote_secret_reject
	Š
}


Here is the log:

Aug 15 09:02:33 radius1 radiusd[3408]: Login OK:
[confS13-150 at secret.campus.ca] (from client proxy1.net port 44721 cli
11-22-33-44-55-66 via TLS tunnel)
Aug 15 09:02:34 radius1 radiusd[3408]: Login OK:
[confS13-150 at secret.campus.ca] (from client proxy1.net port 44721 cli
11-22-33-44-55-66)


I have a feeling that the solution is painfully obvious but I'm just not
seeing it.


Thanks,

Dave Aldwinckle



On 2013-08-13 11:22 AM, "Alan DeKok" <aland at deployingradius.com> wrote:

>David Aldwinckle wrote:
>> Is there a way that I can deny a specific realm when an access request
>> is received from a specific client?
>
>  Yes.
>
>> I tried adding something to policy.conf but I couldn't get the syntax
>>right:
>
>  So... what happened?  Did you get an error?  Is it a secret?
>
>> #Prevent secretrealm from logging in off-campus
>> remote_secret_reject
>> if ("%{Realm}" == "secretrealm.ca") && ((Client-Shortname ==
>> "proxy-client1") || (Client-Shortname == "proxy-client2"))) {
>> reject
>>  }
>> 
>> Is there a different way that I should be doing this?
>
>  You can do it via a policy.  But you have to get the syntax right.
>See "man unlang" for documentation on the syntax.  See the policy.conf
>file for examples of working policies.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list