[RADIATOR] loop avoidance with Handler and Client Identifier
Hugh Irvine
hugh at open.com.au
Fri Apr 9 19:36:32 CDT 2010
Hello Alan, Hello Heikki -
And of course the point of the whole exercise (reminder to self - coffee _before_ email...):
.....
# my realm is "this.is.my.realm"
.....
<Client 1.1.1.1>
Identifier MyClientGroup1
DefaultRealm this.is.my.realm
.....
</Client>
<Client 2.2.2.2>
Identifier MyClientGroup1
DefaultRealm this.is.my.realm
.....
</Client>
.....
<Client 5.5.5.5>
Identifier MyClientGroup2
DefaultRealm this.is.my.realm
.....
</Client>
<Client 7.7.7.7>
Identifier MyClientGroup2
DefaultRealm this.is.my.realm
.....
</Client>
.....
<Client a.a.a.a>
Identifier MyExternalProxy
.....
</Client>
.....
<Handler Realm = this.is.my.realm, Client-Identifier = MyExternalProxy>
.....
</Handler>
# reject anything else from MyExternalProxy
<Handler Client-Identifier = MyExternalProxy>
<AuthBy INTERNAL>
AuthResult REJECT
AcctResult ACCEPT
</AuthBy>
</Handler>
<Handler Realm = this.is.my.realm, Client-Identifier = MyClientGroup1>
.....
</Handler>
<Handler Realm = this.is.my.realm, Client-Identifier = MyClientGroup2>
.....
</Handler>
# reject anything else for "this.is.my.realm"
<Handler Realm = this.is.my.realm>
<AuthBy INTERNAL>
AuthResult REJECT
AcctResult ACCEPT
</AuthBy>
</Handler>
# deal with external realms
<Handler>
<AuthBy RADIUS>
.....
</AuthBy>
</Handler>
regards
Hugh
On 10 Apr 2010, at 10:02, Hugh Irvine wrote:
>
> Hello Alan, Hello Heikki -
>
> I neglected to add one important detail.
>
> See below:
>
> .....
>
> # my realm is "this.is.my.realm"
>
> .....
>
> <Client 1.1.1.1>
> Identifier MyClientGroup1
> DefaultRealm this.is.my.realm
> .....
> </Client>
>
> <Client 2.2.2.2>
> Identifier MyClientGroup1
> DefaultRealm this.is.my.realm
> .....
> </Client>
>
> .....
>
> <Client 5.5.5.5>
> Identifier MyClientGroup2
> DefaultRealm this.is.my.realm
> .....
> </Client>
>
> <Client 7.7.7.7>
> Identifier MyClientGroup2
> DefaultRealm this.is.my.realm
> .....
> </Client>
>
> .....
>
> regards
>
> Hugh
>
>
> On 10 Apr 2010, at 08:20, Hugh Irvine wrote:
>
>>
>> Hello Alan -
>>
>> I always use Client-Identifier's as Heikki describes.
>>
>> Something like this:
>>
>> .....
>>
>> # my realm is "this.is.my.realm"
>>
>> .....
>>
>> <Client 1.1.1.1>
>> Identifier MyClientGroup1
>> .....
>> </Client>
>>
>> <Client 2.2.2.2>
>> Identifier MyClientGroup1
>> .....
>> </Client>
>>
>> .....
>>
>> <Client 5.5.5.5>
>> Identifier MyClientGroup2
>> .....
>> </Client>
>>
>> <Client 7.7.7.7>
>> Identifier MyClientGroup2
>> .....
>> </Client>
>>
>> .....
>>
>> <Client a.a.a.a>
>> Identifier MyExternalProxy
>> .....
>> </Client>
>>
>> .....
>>
>> <Handler Realm = this.is.my.realm, Client-Identifier = MyClientGroup1>
>> .....
>> </Handler>
>>
>> <Handler Realm = this.is.my.realm, Client-Identifier = MyClientGroup2>
>> .....
>> </Handler>
>>
>> <Handler Realm = this.is.my.realm, Client-Identifier = MyExternalProxy>
>> .....
>> </Handler>
>>
>> # reject anything else for "this.is.my.realm"
>>
>> <Handler Realm = this.is.my.realm>
>> <AuthBy INTERNAL>
>> AuthResult REJECT
>> AcctResult ACCEPT
>> </AuthBy>
>> </Handler>
>>
>> # deal with external realms
>>
>> <Handler>
>> <AuthBy RADIUS>
>> .....
>> </AuthBy>
>> </Handler>
>>
>>
>> hope that helps
>>
>> regards
>>
>> Hugh
>>
>>
>> On 10 Apr 2010, at 01:42, Heikki Vatiainen wrote:
>>
>>> On 04/09/2010 05:57 PM, Alan Buxey wrote:
>>>
>>>> I recall , in the past, seeing a resource either in email or on the web
>>>> that used a method of NAS-Identifier to stop a Handler sending authentications
>>>> back to a realm from whence they ame - ie avoid authentication loops.
>>>
>>> I think this might be it:
>>>
>>> <Handler NAS-Identifier=/^(?!nasid)/>
>>>
>>> Also Client-Identifier can be used here instead of NAS-Identifier. That
>>> is use something like:
>>> <Client>
>>> Identifier clientid
>>> </Client>
>>>
>>> And the use Client-Identifier=/^(?!clientid)/ with the Handler.
>>>
>>>> can anyone prod my memory or even verride that resource with their best practice?
>>>
>>> See Radiator's ref-4.6.pdf Section 13.1.36 and search ?! for an example.
>>> Also eduroam cookbook has an example, you can find it below. Search for
>>> ?! or see section 3.1.1.4
>>>
>>> http://www.eduroam.org/index.php?p=europe&s=docs
>>>
>>> --
>>> Heikki Vatiainen, Arch Red Oy
>>> +358 44 087 6547
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list