proxy.conf (from v2 to v3) - edoroam - NRO - configurations - requested - regarding
Patrick Oberli
patrick.oberli at ost.ch
Mon Jun 21 14:02:33 CEST 2021
Here you find the manual: https://wiki.geant.org/pages/viewpage.action?pageId=121346259
This is how I configured it:
/etc/freeradius/3.0# cat sites-enabled/eduroam
server eduroam {
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipv6addr = ::
port = 0
}
listen {
type = "acct"
ipv6addr = ::
port = 0
}
authorize {
# only use filter_username from version > 3.0.7 on
filter_username
update request {
Operator-Name := "1domain.tld"
# the literal number "1" above is an important prefix! Do not change it!
}
# if you want detailed logging
auth_log
suffix
}
authenticate {
}
preacct {
suffix
}
accounting {
}
post-auth {
# if you want detailed logging uncomment
#reply_log
Post-Auth-Type REJECT {
# reply_log
}
}
pre-proxy {
# if you want detailed logging uncomment
#pre_proxy_log
if("%{Packet-Type}" != "Accounting-Request") {
attr_filter.pre-proxy
}
update proxy-request {
NAS-Port-Type := 19
}
}
post-proxy {
# if you want detailed logging uncomment
#post_proxy_log
attr_filter.post-proxy
}
}
-------------------------------
proxy.conf (servers 1-4 are Windows NPS and don't support status-server, unlike the ftlr ones, check that with your provider)
proxy server {
default_fallback = no
}
home_server server1 {
type = auth+acct
ipaddr = x.x.x.x
port = 1812
secret = "password"
status_check = none
response_window = 20
zombie_period = 20
check_interval = 6
revive_interval = 10
num_answers_to_alive = 3
}
home_server server2 {
type = auth+acct
ipaddr = x.x.x.x
port = 1812
secret = "password"
status_check = none
response_window = 20
zombie_period = 20
check_interval = 6
revive_interval = 10
num_answers_to_alive = 3
}
home_server server3 {
type = auth+acct
ipaddr = x.x.x.x
port = 1812
secret = "password"
status_check = none
response_window = 20
zombie_period = 20
check_interval = 6
revive_interval = 10
num_answers_to_alive = 3
}
home_server server4 {
type = auth+acct
ipaddr = x.x.x.x
port = 1812
secret = "password"
status_check = none
response_window = 20
zombie_period = 20
check_interval = 6
revive_interval = 10
num_answers_to_alive = 3
}
home_server eduroam-3 {
type = auth+acct
ipaddr = ftlr1.x.x
port = 1812
secret = password
status_check = status-server
response_window = 20
zombie_period = 20
check_interval = 6
num_answers_to_alive = 3
}
home_server eduroam-4 {
type = auth+acct
ipaddr = ftlr2.x.x
port = 1812
secret = password
status_check = status-server
response_window = 20
zombie_period = 20
check_interval = 6
num_answers_to_alive = 3
}
home_server_pool EDUROAM {
type = fail-over
home_server = eduroam-3
home_server = eduroam-4
}
home_server_pool DOMAIN1 {
type = fail-over
home_server = server1
home_server = server2
}
home_server_pool DOMAIN2 {
type = fail-over
home_server = server3
home_server = server4
}
realm NULL {
virtual_server = auth-reject
nostrip
}
realm domain1.tld {
pool = DOMAIN1
nostrip
}
realm domain2.tld {
pool = DOMAIN2
nostrip
}
realm "~.+$" {
pool = EDUROAM
nostrip
}
-----------------------------------
You also need to configure the files pre-proxy, post-proxy and of course clients.conf.
Then I also suggest doing performance optimizations like this (but read the manual, those settings depend on your used server setup):
vi radiusd.conf
max_request_time = 20
auth = yes
reject_delay = 0
max_servers = 2048
min_spare_servers = 8
max_spare_servers = 32
Kind regards
Patrick
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+patrick.oberli=ost.ch at lists.freeradius.org> On Behalf Of P.Thirunavukkarasu
Sent: Montag, 21. Juni 2021 13:20
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: proxy.conf (from v2 to v3) - edoroam - NRO - configurations - requested - regarding
Hi,
Greetings and Thanks for the reply.
1. As I understand, the home server means the eduroam servers of NRO.
> Hence, I configured the home server and home server pool as above.
>
> 2. Are the above proxy and realm config correct or not?
If the server starts, yes.
*It shows "Ready to process the request" in the debugging mode.*
> 3. Our domain name is tanuvas.org.in. I configured the realm as
LOCAL
Yes.
*We need the the process the requests for our local users locally with our domain name is tanuvas.org.in <http://tanuvas.org.in> as a suffix. *
> 4. Realm DEFAULT points to the Home Server Pool EDUROAM. Is it
correct
It depends on what you want to do.
*We need to forward the request by roaming users from other Universities to the ERNET, our national level NRO for eduroam. Similarly vice-versa should happen when our users are roaming. *
> 6. Is it necessary to configure the realms NULL and LOCAL
It depends on what you want to do.
*We need to process the this NULL and LOCAL realm locally without proxying to ERNET*
*Regards*
*Thirunavukkarasu*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list