mr typo <[email protected]> wrote:
>
> i do have a problem with our freeradius configuration and i have no idea how
> to solve it.
>
> we do have one realm configured domainname.com which works perfectly. every
> user who wants to authenticate with a different realm is proxied to an
> outside radius. server. the setup works fine.
>
> we do have some mobile devices who send something like:
> [email protected]@wlan.mnc003.mc
> [email protected]@Verisign...
> .
> .
>
> we send these requests to our proxy and the proxy sends it back to us,....
>
> from my understanding i cant solve it with a regex in the proxy.conf, right?
> since the "realm" is just the string after the last @?
>
> anyone has an idea how i can process such request in my company.com realm?
> inside the realm i strip everything out, so it should work then.
>
Use some unlang in 'authorize' *before* you call 'suffix' that looks
like:
----
if (User-Name ~= /^([email protected])@.*/) {
User-Name := "%{1}"
}
----
As a side note, I currently have in proxy.conf:
----
# blackhole routing
realm myabc.com {
virtual_server = auth-reject
nostrip
}
realm "~\\.3gppnetwork\\.org$" {
virtual_server = auth-reject
nostrip
}
----
...and a virtual server:
----
server auth-reject {
authorize {
suffix
switch "%{Realm}" {
case "NULL" {
update reply {
Reply-Message := "No Realm"
}
}
# we should not get here
case "DEFAULT" {
update reply {
Reply-Message := "ERROR"
}
}
# we *really* should not get here
case "%{config:local.MY.realm}" {
update reply {
Reply-Message := "BIG ERROR"
}
}
case {
update reply {
Reply-Message := "Realm Blackholed"
}
}
}
reject
}
}
----
I would recommend you reject straight away any double realmed users as
you will only find yourself later on still having to deal with
misconfigured kit; pain now means a *lot* less pain later down the road
in my experience.
Cheers
--
Alexander Clouter
.sigmonster says: This Fortune Examined By INSPECTOR NO. 2-14
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
