Preventing proxy loops

Arnaud LAURIOU arnaud.lauriou at renater.fr
Tue Sep 1 15:14:18 CEST 2020



On 9/1/20 1:51 PM, Alan DeKok wrote:
> On Sep 1, 2020, at 5:19 AM, Arnaud LAURIOU <arnaud.lauriou at renater.fr> wrote:
>> We have freeRADIUS proxies dedicated to eduroam, version 3.0.21.
>>
>> Some of our clients are sending us Access-Request ... with their realm.
>> We forward them to their home_server
>    Why?
>
>    The only packets you should get from Eduroam are ones for your realm.  All other packets should be rejected immediately.
>
> 	if (Realm != "renate.fr) {
> 		reject
> 	}
Yes but maybe I didn't make myself clear : I'm talking about our .fr 
federation level eduroam proxies,
not our 'renater.fr' RADIUS server.
>
>    If they're sending packets for their realm to you, then you have no obligation to be polite.  Don't send the packets back.  Just reject them.
Yes, I tried a solution in pre-proxy section (described in my prevous 
email) but it's NOK for monitor requests like
nagios@<realm>.fr when client and home_server are the same.

Do I need to go further with this solution (e.g. use a specific CLI 
attribute so that these requests can be handled
separately) or is there a completely different way to protect our 
proxies from loops with FR ?

Regards,

Arnaud Lauriou


More information about the Freeradius-Users mailing list