Re: Rejecting realms based on calling client
Hi Alan,
Thanks for your response.
Initially FreeRadius would not start and I did get an error indicating
that the remote_secret_reject module failed to load. There was no reason
given even with -XXX. I found since then that I was missing a brace.
Now I can get FreeRadius to start. I still seem to be missing something
though, since my policy does not work. Here it is:
remote_secret_reject {
if ((Realm == secret.campus.ca) ((Client-Shortname == proxy1.net)
|| (Client-Shortname == proxy2.net))) {
reject
}
}
In sites-enabled/default:
authorize {
Š
remote_secret_reject
Š
}
Here is the log:
Aug 15 09:02:33 radius1 radiusd[3408]: Login OK:
[confs13-...@secret.campus.ca] (from client proxy1.net port 44721 cli
11-22-33-44-55-66 via TLS tunnel)
Aug 15 09:02:34 radius1 radiusd[3408]: Login OK:
[confs13-...@secret.campus.ca] (from client proxy1.net port 44721 cli
11-22-33-44-55-66)
I have a feeling that the solution is painfully obvious but I'm just not
seeing it.
Thanks,
Dave Aldwinckle
On 2013-08-13 11:22 AM, Alan DeKok al...@deployingradius.com wrote:
David Aldwinckle wrote:
Is there a way that I can deny a specific realm when an access request
is received from a specific client?
Yes.
I tried adding something to policy.conf but I couldn't get the syntax
right:
So... what happened? Did you get an error? Is it a secret?
#Prevent secretrealm from logging in off-campus
remote_secret_reject
if (%{Realm} == secretrealm.ca) ((Client-Shortname ==
proxy-client1) || (Client-Shortname == proxy-client2))) {
reject
}
Is there a different way that I should be doing this?
You can do it via a policy. But you have to get the syntax right.
See man unlang for documentation on the syntax. See the policy.conf
file for examples of working policies.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting realms based on calling client
Sigh. I broke the cardinal rule of the list _again_.
I'Ll grab a full debug log now.
Sorry for the spam.
Dave Aldwinckle
On 2013-08-13 11:22 AM, Alan DeKok al...@deployingradius.com wrote:
David Aldwinckle wrote:
Is there a way that I can deny a specific realm when an access request
is received from a specific client?
Yes.
I tried adding something to policy.conf but I couldn't get the syntax
right:
So... what happened? Did you get an error? Is it a secret?
#Prevent secretrealm from logging in off-campus
remote_secret_reject
if (%{Realm} == secretrealm.ca) ((Client-Shortname ==
proxy-client1) || (Client-Shortname == proxy-client2))) {
reject
}
Is there a different way that I should be doing this?
You can do it via a policy. But you have to get the syntax right.
See man unlang for documentation on the syntax. See the policy.conf
file for examples of working policies.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting realms based on calling client
David Aldwinckle wrote: Initially FreeRadius would not start and I did get an error indicating that the remote_secret_reject module failed to load. There was no reason given even with -XXX. I found since then that I was missing a brace. Now I can get FreeRadius to start. I still seem to be missing something though, since my policy does not work. See the FAQ for it doesn't work. Post useful messages, or you will be ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting realms based on calling client
Hi,
Initially FreeRadius would not start and I did get an error indicating
that the remote_secret_reject module failed to load. There was no reason
given even with -XXX. I found since then that I was missing a brace.
Now I can get FreeRadius to start. I still seem to be missing something
though, since my policy does not work. Here it is:
remote_secret_reject {
if ((Realm == secret.campus.ca) ((Client-Shortname == proxy1.net)
|| (Client-Shortname == proxy2.net))) {
reject
}
}
radiusd -X
it will show the logic, the variables and the result. you can then see why
things arent working
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting realms based on calling client
Hello,
I have two clients that proxy access requests to me. The realm varies, but the
format is always userid@realm.whatevermailto:userid@realm.whatever
Is there a way that I can deny a specific realm when an access request is
received from a specific client?
I tried adding something to policy.conf but I couldn't get the syntax right:
#Prevent secretrealm from logging in off-campus
remote_secret_reject
if (%{Realm} == secretrealm.ca) ((Client-Shortname == proxy-client1)
|| (Client-Shortname == proxy-client2))) {
reject
}
Is there a different way that I should be doing this?
Thanks,
Dave
Dave Aldwinckle
Network Support Specialist
Information Systems and Technology
Phone: (519)-888-4567 ext. 31145
E-Mail: daldw...@uwaterloo.camailto:daldw...@uwaterloo.ca
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting realms based on calling client
David Aldwinckle wrote:
Is there a way that I can deny a specific realm when an access request
is received from a specific client?
Yes.
I tried adding something to policy.conf but I couldn't get the syntax right:
So... what happened? Did you get an error? Is it a secret?
#Prevent secretrealm from logging in off-campus
remote_secret_reject
if (%{Realm} == secretrealm.ca) ((Client-Shortname ==
proxy-client1) || (Client-Shortname == proxy-client2))) {
reject
}
Is there a different way that I should be doing this?
You can do it via a policy. But you have to get the syntax right.
See man unlang for documentation on the syntax. See the policy.conf
file for examples of working policies.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
