On 12/06/2012 10:16 AM, Alan Buxey wrote:
Hi,
home_server_pool EDUROAM-FTLR {
type = fail-over
home_server = proxy1
home_server = proxy2
}
I would use:
type = client-port-balance
to balance between the 2. (that method ensures the EAP goes to one remote
server)
realm DEFAULT {
pool = EDUROAM-FTLR
nostrip
}
hmmmm, this isnt best practice if thats all you have for throwing stuff
upstream. woulf
strongly recommend using unlang to validate that the user has valid realm etc
and then
update the request to use a realm identifier (eg eduroam) and use that in
proxy.conf instead -
thus you are only sending valid users upstream (and not all the random typos
and junk)
as the upstream servers will like you more for that - and wont be dropping
requests and messing
you up.
To expand on Alan's statement a bit here - it's possible that users are
associating with your eduroam SSID and sending all kinds of nonsense (I
think the best I've seen is:
<space>user@domain<newline><space>user@domain</newline><repeat 3 times>
...and that the upstream RADIUS servers are not replying, which is
causing you to get these dropouts.
You probably want something like this:
authorize {
if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
# user has a valid-looking realm
update request {
Stripped-User-Name := "%{1}"
Realm = "%{toupper:%{2}}"
}
}
else {
# malformed NAI
update reply {
Reply-Message := "malformed username"
}
reject
}
if (Realm == MY.REALM) {
...
}
else {
update control {
Proxy-To-Realm := DEFAULT
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html