[RADIATOR] loop avoidance with Handler and Client Identifier
Hugh Irvine
hugh at open.com.au
Fri Apr 9 17:20:17 CDT 2010
Hello Alan -
I always use Client-Identifier's as Heikki describes.
Something like this:
.....
# my realm is "this.is.my.realm"
.....
<Client 1.1.1.1>
Identifier MyClientGroup1
.....
</Client>
<Client 2.2.2.2>
Identifier MyClientGroup1
.....
</Client>
.....
<Client 5.5.5.5>
Identifier MyClientGroup2
.....
</Client>
<Client 7.7.7.7>
Identifier MyClientGroup2
.....
</Client>
.....
<Client a.a.a.a>
Identifier MyExternalProxy
.....
</Client>
.....
<Handler Realm = this.is.my.realm, Client-Identifier = MyClientGroup1>
.....
</Handler>
<Handler Realm = this.is.my.realm, Client-Identifier = MyClientGroup2>
.....
</Handler>
<Handler Realm = this.is.my.realm, Client-Identifier = MyExternalProxy>
.....
</Handler>
# reject anything else for "this.is.my.realm"
<Handler Realm = this.is.my.realm>
<AuthBy INTERNAL>
AuthResult REJECT
AcctResult ACCEPT
</AuthBy>
</Handler>
# deal with external realms
<Handler>
<AuthBy RADIUS>
.....
</AuthBy>
</Handler>
hope that helps
regards
Hugh
On 10 Apr 2010, at 01:42, Heikki Vatiainen wrote:
> On 04/09/2010 05:57 PM, Alan Buxey wrote:
>
>> I recall , in the past, seeing a resource either in email or on the web
>> that used a method of NAS-Identifier to stop a Handler sending authentications
>> back to a realm from whence they ame - ie avoid authentication loops.
>
> I think this might be it:
>
> <Handler NAS-Identifier=/^(?!nasid)/>
>
> Also Client-Identifier can be used here instead of NAS-Identifier. That
> is use something like:
> <Client>
> Identifier clientid
> </Client>
>
> And the use Client-Identifier=/^(?!clientid)/ with the Handler.
>
>> can anyone prod my memory or even verride that resource with their best practice?
>
> See Radiator's ref-4.6.pdf Section 13.1.36 and search ?! for an example.
> Also eduroam cookbook has an example, you can find it below. Search for
> ?! or see section 3.1.1.4
>
> http://www.eduroam.org/index.php?p=europe&s=docs
>
> --
> Heikki Vatiainen, Arch Red Oy
> +358 44 087 6547
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list