[RADIATOR] loop avoidance with Handler and Client Identifier
Hugh Irvine
hugh at open.com.au
Fri Apr 9 19:02:22 CDT 2010
Hello Alan, Hello Heikki -
I neglected to add one important detail.
See below:
.....
# my realm is "this.is.my.realm"
.....
<Client 1.1.1.1>
Identifier MyClientGroup1
DefaultRealm this.is.my.realm
.....
</Client>
<Client 2.2.2.2>
Identifier MyClientGroup1
DefaultRealm this.is.my.realm
.....
</Client>
.....
<Client 5.5.5.5>
Identifier MyClientGroup2
DefaultRealm this.is.my.realm
.....
</Client>
<Client 7.7.7.7>
Identifier MyClientGroup2
DefaultRealm this.is.my.realm
.....
</Client>
.....
regards
Hugh
On 10 Apr 2010, at 08:20, Hugh Irvine wrote:
>
> Hello Alan -
>
> I always use Client-Identifier's as Heikki describes.
>
> Something like this:
>
> .....
>
> # my realm is "this.is.my.realm"
>
> .....
>
> <Client 1.1.1.1>
> Identifier MyClientGroup1
> .....
> </Client>
>
> <Client 2.2.2.2>
> Identifier MyClientGroup1
> .....
> </Client>
>
> .....
>
> <Client 5.5.5.5>
> Identifier MyClientGroup2
> .....
> </Client>
>
> <Client 7.7.7.7>
> Identifier MyClientGroup2
> .....
> </Client>
>
> .....
>
> <Client a.a.a.a>
> Identifier MyExternalProxy
> .....
> </Client>
>
> .....
>
> <Handler Realm = this.is.my.realm, Client-Identifier = MyClientGroup1>
> .....
> </Handler>
>
> <Handler Realm = this.is.my.realm, Client-Identifier = MyClientGroup2>
> .....
> </Handler>
>
> <Handler Realm = this.is.my.realm, Client-Identifier = MyExternalProxy>
> .....
> </Handler>
>
> # reject anything else for "this.is.my.realm"
>
> <Handler Realm = this.is.my.realm>
> <AuthBy INTERNAL>
> AuthResult REJECT
> AcctResult ACCEPT
> </AuthBy>
> </Handler>
>
> # deal with external realms
>
> <Handler>
> <AuthBy RADIUS>
> .....
> </AuthBy>
> </Handler>
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 10 Apr 2010, at 01:42, Heikki Vatiainen wrote:
>
>> On 04/09/2010 05:57 PM, Alan Buxey wrote:
>>
>>> I recall , in the past, seeing a resource either in email or on the web
>>> that used a method of NAS-Identifier to stop a Handler sending authentications
>>> back to a realm from whence they ame - ie avoid authentication loops.
>>
>> I think this might be it:
>>
>> <Handler NAS-Identifier=/^(?!nasid)/>
>>
>> Also Client-Identifier can be used here instead of NAS-Identifier. That
>> is use something like:
>> <Client>
>> Identifier clientid
>> </Client>
>>
>> And the use Client-Identifier=/^(?!clientid)/ with the Handler.
>>
>>> can anyone prod my memory or even verride that resource with their best practice?
>>
>> See Radiator's ref-4.6.pdf Section 13.1.36 and search ?! for an example.
>> Also eduroam cookbook has an example, you can find it below. Search for
>> ?! or see section 3.1.1.4
>>
>> http://www.eduroam.org/index.php?p=europe&s=docs
>>
>> --
>> Heikki Vatiainen, Arch Red Oy
>> +358 44 087 6547
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list