Help with eduroam proxying config

Fri Mar 13 04:27:43 CET 2015

I documented my first working config as a runnable docker image, in case
it's useful to anyone:

https://github.com/lrhazi/freeradius-eduroam

Thanks,
Mohamed.

On Wed, Mar 11, 2015 at 11:27 AM, Mohamed Lrhazi <
Mohamed.Lrhazi at georgetown.edu> wrote:

> Thanks a lot guys, we'll try those suggestions and be back :)
>
> My first try at freeradius, just figuring out the basics... seeing how
> requests would be routed based on username and so on...
>
> Mohamed.
>
> On Wed, Mar 11, 2015 at 10:59 AM, Scott Armitage <S.P.Armitage at lboro.ac.uk
> > wrote:
>
>>
>> > On 11 Mar 2015, at 14:46, Mohamed Lrhazi <Mohamed.Lrhazi at georgetown.edu>
>> wrote:
>> >
>> > Hello,
>> >
>> > With this config, I want to say: anyuser at anything.edu should go to
>> eduroam,
>> > but I get a warning that it wont be the case.. What's the correct
>> config:
>> >
>> > Thanks a lot,
>> > Mohamed.
>> >
>> > proxy.conf:
>> >
>> >
>> > home_server eduroam1 {
>> >    type = auth
>> >    ipaddr = tlrs1.eduroam.us
>> >    port = 1645
>> >    secret = eduroam_radius_secret
>> > }
>> > home_server eduroam2 {
>> >    type = auth
>> >    ipaddr = tlrs2.eduroam.us
>> >    port = 1645
>> >    secret = eduroam_radius_secret
>> > }
>>
>> Why 1645 and not 1812?
>>
>>
>> > home_server_pool eduroam {
>> >    type = fail-over
>> >    home_server = eduroam1
>> >    home_server = eduroam2
>> > }
>> >
>> > realm LOCAL {
>> > }
>> > realm NULL {
>> > }
>> > realm georgetown.edu {
>> > }
>> > realm gu.edu {
>> > }
>> >
>> > realm "~(.*\\.)+edu$" {
>> >        nostrip
>> >        auth_pool = eduroam
>> > }
>>
>>
>> This isn’t being a good eduroam neighbour as you will send all kinds of
>> crap upstream, but more importantly eduroam ISN’T JUST EDU.  I’d use the
>> approach of:
>>
>> In proxy.conf:
>>
>>
>> realm eduroam {
>>     auth_pool = eduroam
>>     nostrip
>> }
>>
>> Then in your authorize section something like:
>>
>> if("%{User-Name}" =~ /\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/) {
>>
>>
>>                 if(!"%{2}" || ("%{2}" =~ /.*georgetown\.edu$/i) ) {
>>                         update request {
>>                                 #Stripped-User-Name := "%{1}"
>>                                 Realm := "local"
>>                         }
>>                         if(!"%{2}" && ("%{User-Name}" =~ /^@/) &&
>> ("%{User-Name}" !~ /georgetown\\.edu$/i) ) {
>>                                 update request {
>>                                         #Stripped-User-Name := "%{1}"
>>                                         Realm := "eduroam"
>>                                 }
>>                                 update control {
>>                                         Proxy-To-Realm := "eduroam"
>>                                 }
>>                         }
>>                 }
>>                 else{
>>                         update request {
>>                                 #Stripped-User-Name := "%{1}@%{2}"
>>                                 Realm := "%{2}"
>>                         }
>>                 }
>>         }
>>
>>
>>
>>
>> regards
>>
>>
>> Scott Armitage
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>