On 12/06/2012 10:16 AM, Alan Buxey wrote:
Hi,

home_server_pool EDUROAM-FTLR {
         type                    = fail-over
         home_server             = proxy1
         home_server             = proxy2
}

I would use:

type = client-port-balance


to balance between the 2. (that method ensures the EAP goes to one remote 
server)

realm DEFAULT {
         pool = EDUROAM-FTLR
         nostrip
}

hmmmm, this isnt best practice if thats all you have for throwing stuff 
upstream. woulf
strongly recommend using unlang to validate that the user has valid realm etc 
and then
update the request to use a realm identifier (eg eduroam) and use that in 
proxy.conf instead -
thus you are only sending valid users upstream (and not all the random typos 
and junk)
as the upstream servers will like you more for that - and wont be dropping 
requests and messing
you up.


To expand on Alan's statement a bit here - it's possible that users are associating with your eduroam SSID and sending all kinds of nonsense (I think the best I've seen is:

<space>user@domain<newline><space>user@domain</newline><repeat 3 times>

...and that the upstream RADIUS servers are not replying, which is causing you to get these dropouts.

You probably want something like this:

authorize {
  if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
    # user has a valid-looking realm
    update request {
      Stripped-User-Name := "%{1}"
      Realm = "%{toupper:%{2}}"
    }
  }
  else {
    # malformed NAI
    update reply {
      Reply-Message := "malformed username"
    }
    reject
  }

  if (Realm == MY.REALM) {
   ...
  }
  else {
    update control {
      Proxy-To-Realm := DEFAULT
    }
  }

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to