Preventing proxy loops

Alan Buxey alan.buxey at gmail.com
Thu Sep 3 23:17:56 CEST 2020


hi,

> > Yes, I tried a solution in pre-proxy section (described in my prevous email) but it's NOK for monitor requests like
> > nagios@<realm>.fr when client and home_server are the same.

are they trying to monitor themselves via the national roaming proxies?

>   The simplest way is perhaps to just add a vendor-specific attribute.  If you see a packet without that VSA, you forward it. If you see a packet with that VSA, you know it's looped, and you reject it.

+1 for this - its how we dealt with initial loop prevention when
moving to RADSEC . i think theres an eduroam recipe for freeradius
lying around on the GÉANT confluence wiki somewhere

>   Monitoring packets shouldn't contain EAP-Message, so the above rule should catch only EAP authentication requests.

well, all non EAP should be blocked incoming at national proxy level
anyway so monitoring should be an EAP method just like real clients...

alan



More information about the Freeradius-Users mailing list