Set up /dev/null (no auth) proxy server on NULL realm

Seiichirou Hiraoka seiichirou.hiraoka at gmail.com
Mon Dec 5 11:50:09 CET 2016


Hello alan,

Thank you for your reply.

Sorry for lack of information.

Instead of failing all users' authentication, we want to fail only in the
case of NULL realm.
DEFAULT realm will authenticate with a real authentication server.

Only in the case of NULL realm, please tell me if there is a best practice
to forcibly fail.

Best, regards!


2016-12-05 19:00 GMT+09:00 <A.L.M.Buxey at lboro.ac.uk>:

> Hi,
>
> > I use freeradius 3.0.4 on CentOS 7.2 (RPM)
> > And I want to set up /dev/null (without  auth) proxy server on NULL
> realm.
> >
> > Now, I set up my proxy.conf as follow.
> >
> > -----
> > realm NULL {
> >         authhost        = 127.0.0.1:1645
> >         accthost        = 127.0.0.1:1646
> >         secret          = dummy
> > }
> > -----
> >
> > No service exist in 127.0.0.1:1645, 1646.
>
> oh dear.
>
> > When user try to auth without realm (NULL realm),
> > all authentication going to fail.
>
> not really...it'll be worse that that.
>
> > I have some question.
> > 1) Is my setting correct ?
> > 2) Is there a way to set the timeout? (I want to set timeout to 0)
> > 3) Any other advice?
>
> what you will get is a server trying to proxy a request off to localhost
> port 1645/1646..which wont
> respond...will get marked as dead.... you'll get huge backups of failures
> and intransit proxy requests
> reattempted etc and leading to a final failure of your otherwise okay
> system.
>
> if you want to just fail anyone trying to login with no realm, then simply
> use unlang to reject them!  eg, in authorise section of your server
>
> if (%{User-Name} !~ /@/ ) {
>         reject
> }
>
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list