Thanks for the tip. Good call, I didnt have a DEFAULT realm. I added one, and if it matches, it seems Realm is set to DEFAULT rather than whatever the realm was. This is probably not a problem. If I have realms I explicitly need to reject, I'll add a separate entry for each to proxy.conf, then add a line to users to catch it like I had below. That appears to work.
Another plan would be to use DEFAULT to catch illegal realms. This would require an entry for each "good" realm in proxy.conf so it won't match DEFAULT. It seems strange to fill up proxy.conf with local realms, but I guess that behavior can be configured whichever way makes life easier for the operators. Are there any guidelines I should be aware of for how or whether to use proxy.conf for local realms?
Dave
Chris Parker wrote:
At 01:51 PM 6/13/2003 -0500, Dave Mason wrote:
Hi,
I checked the FAQ and comments in the users file, and thought I had this, but I gave it a shot and it didnt work. I need to reject any user who tries to authenticate from a particular realm, then if it's OK use EAP. I added this to the users file:
----------------------- DEFAULT Realm == "badrealm.com", Auth-Type := Reject Reply-Message = "This realm is not supported."
DEFAULT Auth-Type := EAP ------------------------
I'm going to take a stab in the dark and guess that you don't have a DEFAULT realm configured.
I would suggest you add a DEFAULT realm entry to process it locally. The Realm attribute is not added unless if matches a realm ( and *everything* not otherwise defined will match DEFAULT ).
Alternatively, you could define 'badrealm' in your config in lieu of a DEFAULT entry if you didn't want to create the DEFAULT for other reasons.
-Chris
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
