Rich Graves <rgra...@carleton.edu> wrote: > > I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1. > PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam. > > Within a day, I had the configuration I wanted, or so I thought. > > Empty stanzas for realms u...@carleton.edu, ADS\user, and bare > username get authenticated with mschapv2. Otherwise, regex realm *@*.* > gets routed to the eduroam upstream radius hierarchy. > If you are going 'eduroam' you really need to reject *everything* eduroam SSID/802.1X related that is not of the form user@realm. If you permit combinations then you will find users can use 'eduroam' locally with no problems but then when they go roaming, their workstation does not tell the visited site the realm (in the form '@example.edu') and so can only reject it.
The result, very unhappy users. If you reject *today* NULL, then your helpdesk *have* to configure people correctly. These are the words from a bitten before eduroam sysadmin :) As for your realm fun, this is what we do: ---- templates.conf ---- templates { # PROXY eduroam-proxy { type = auth+acct port = 1812 require_message_authenticator = yes status_check = status-server } eduroam-proxy6 { src_ipaddr = ${local.MY.addr.v6} $template eduroam-proxy } eduroam-proxy4 { src_ipaddr = ${local.MY.addr.v4} $template eduroam-proxy } } ---- proxy.conf ---- ## eduroam # roaming0.ja.net home_server jrs.0.v6 { ipv6addr = ${local.jrs.0.addr.v6} secret = ${local.jrs.0.secret} $template eduroam-proxy6 } home_server jrs.0.v4 { ipaddr = ${local.jrs.0.addr.v4} secret = ${local.jrs.0.secret} $template eduroam-proxy4 } # roaming1.ja.net home_server jrs.1.v6 { ipv6addr = ${local.jrs.1.addr.v6} secret = ${local.jrs.1.secret} $template eduroam-proxy6 } home_server jrs.1.v4 { ipaddr = ${local.jrs.1.addr.v4} secret = ${local.jrs.1.secret} $template eduroam-proxy4 } # roaming2.ja.net home_server jrs.2.v6 { ipv6addr = ${local.jrs.2.addr.v6} secret = ${local.jrs.2.secret} $template eduroam-proxy6 } home_server jrs.2.v4 { ipaddr = ${local.jrs.2.addr.v4} secret = ${local.jrs.2.secret} $template eduroam-proxy4 } home_server_pool eduroam { type = keyed-balance home_server = jrs.0.v6 home_server = jrs.0.v4 home_server = jrs.1.v6 home_server = jrs.1.v4 home_server = jrs.2.v6 home_server = jrs.2.v4 } realm NULL { } realm LOCAL { } realm soas.ac.uk { } realm auth.virtual { virtual_server = auth } realm DEFAULT { pool = eduroam nostrip } # blackhole routing realm myabc.com { nostrip } realm "~\\.3gppnetwork\\.org$" { nostrip } ---- The virtual server looks vaguely like (for *all* users onsite, the 'our users visiting elsewhere' is simpler): ---- authorize { preprocess suffix # detail rewrite.called_station_id rewrite.calling_station_id update request { Operator-Name := "1%{config:local.MY.realm}" } eap { ok = return } # Reject Calling-Station-Id-less authentications if (!(Calling-Station-Id)) { update reply { Reply-Message := "No Calling-Station-Id" } reject } elsif (Calling-Station-Id =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { update control { Local-MAC-Address := "%{1}%{2}%{3}%{4}%{5}%{6}" } } if (!(User-Name)) { update reply { Reply-Message := "No User-Name" } reject } validate_username # handle realmless authentications if ((EAP-Message) && Realm == NULL) { update reply { Reply-Message := "No Realm" } reject } # handle blackhole'd realms if (Realm != "NULL" && Realm != "DEFAULT" && Realm != "%{config:local.MY.realm}") { update reply { Reply-Message := "Realm Blackholed" } reject } # [snipped local MAC-Auth hooks] # workaround crappy load-balancing if (Realm == DEFAULT) { update control { Load-Balance-Key := "%{User-Name} %{Calling-Station-Id}" } handled } Autz-Type Status-Server { ok } } post-auth { Post-Auth-Type Reject { redundant { sql.dot1x ok } attr_filter.access_reject eap-has-no-reply-message # detail } # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised" Termination-Action := RADIUS-Request Session-Timeout := 300 Acct-Interim-Interval := 3600 } if ((EAP-Message) && !(Ldap-UserDn)) { cache_ldap-userdn } if (Realm == "DEFAULT") { update reply { Tunnel-Private-Group-Id := "eduroam" } } # to be removed once we register personal workstations elsif (Realm == "%{config:local.MY.realm}") { update reply { Tunnel-Private-Group-Id := "users-unmanaged" } } if (reply:Tunnel-Private-Group-Id != "unauthorised") { update reply { # Cisco only support a max of 65535 Session-Timeout := 64800 } } redundant { sql.dot1x ok } attr_filter.soas-auth eap-has-no-reply-message } ---- If enough people pester me I might get around to 'generalising' this. There is already some effort in this space, Arran Cudbard-Bell(@freeradius.net) used to work in Academentia over in Rightpondia and put together a slightly different approach (without a focus around proxy.conf that I use, it's pretty much what the rest of the .ac.uk sector use I think, I of course have to be different): http://www.ja.net/services/authentication-and-authorisation/janet-roaming/documentation.html http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf "FreeRADIUS v2.0.2 Implementation to support eduroam at the University of Sussex". It's all good stuff though. Pick the approach that makes the most sense to you and more naturally fits your needs. I like priming FreeRADIUS with the realm->proxy mapping and leaving it to it's devices, others prefer to explicitly use unlang in authorize{}. Do contact me off list if you want some help and think this could be getting off topic; although there are a *lot* of eduroam'ers here on the list. Cheers -- Alexander Clouter .sigmonster says: DIDI ... is that a MARTIAN name, or, are we in ISRAEL? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html