Preventing proxy loops
Arnaud LAURIOU
arnaud.lauriou at renater.fr
Tue Sep 1 15:14:18 CEST 2020
On 9/1/20 1:51 PM, Alan DeKok wrote:
> On Sep 1, 2020, at 5:19 AM, Arnaud LAURIOU <arnaud.lauriou at renater.fr> wrote:
>> We have freeRADIUS proxies dedicated to eduroam, version 3.0.21.
>>
>> Some of our clients are sending us Access-Request ... with their realm.
>> We forward them to their home_server
> Why?
>
> The only packets you should get from Eduroam are ones for your realm. All other packets should be rejected immediately.
>
> if (Realm != "renate.fr) {
> reject
> }
Yes but maybe I didn't make myself clear : I'm talking about our .fr
federation level eduroam proxies,
not our 'renater.fr' RADIUS server.
>
> If they're sending packets for their realm to you, then you have no obligation to be polite. Don't send the packets back. Just reject them.
Yes, I tried a solution in pre-proxy section (described in my prevous
email) but it's NOK for monitor requests like
nagios@<realm>.fr when client and home_server are the same.
Do I need to go further with this solution (e.g. use a specific CLI
attribute so that these requests can be handled
separately) or is there a completely different way to protect our
proxies from loops with FR ?
Regards,
Arnaud Lauriou
More information about the Freeradius-Users
mailing list