Preventing proxy loops

Alan DeKok aland at deployingradius.com
Tue Sep 1 13:51:10 CEST 2020


On Sep 1, 2020, at 5:19 AM, Arnaud LAURIOU <arnaud.lauriou at renater.fr> wrote:
> 
> We have freeRADIUS proxies dedicated to eduroam, version 3.0.21.
> 
> Some of our clients are sending us Access-Request ... with their realm.
> We forward them to their home_server

  Why?

  The only packets you should get from Eduroam are ones for your realm.  All other packets should be rejected immediately.

	if (Realm != "renate.fr) {
		reject
	}

  If they're sending packets for their realm to you, then you have no obligation to be polite.  Don't send the packets back.  Just reject them.

  Their users will complain that they can't get online.  They will then fix the issue.

  Alan DeKok.




More information about the Freeradius-Users mailing list