FreeRadius, Eduroam, and me...

Alan Buxey alan.buxey at gmail.com
Sun Jun 21 20:14:47 CEST 2020


hi,

> The consultant setting that up smiled smugly at that success and then
> left.  But the access from outside, using the same credentials, fails.

well, I can understand the happiness at getting the first Access-Accept working
but its not a good approach to getting repeat customers.

it takes about a day to get eduroam up and running at an Organisation - if
relevant stakeholders and ops people are around. otherwise it can drag
out to 2 days.

from a quick glance at the logs you sent -  the requests from the FLR go to ther
own FreeRadius virtual server 'eduroam' - good. easy to define auth
policy there,
but it seems your internal eduroam things do too - thats not good. you
should have
your own internal virtual server for internal eduroam (if requests are
not your realm
and are valid realm format etc send them off to the FLR, for your own
users, auth and then
give relevant access VLANS etc.)

you appear to have duplicate module lying around for mschap -

you have require_message_authenticator = no for NAS clients
set that to yes, you should not be letting clients that dont have this
ability to use your resources
(I ran eduroam at a site that was in eduroam from the early days and
we had this enforcement)

and finally, as others have already said, the incoming request being
targetted at you
from the outside world is not an EAP request.  oh, regarding that, in
your eduroam
virtual server, reject non EAP requests as first line protection anyway.

alan


More information about the Freeradius-Users mailing list