[RADIATOR] Enhancement for AuthDNSROAM/EduRoam and goodies suggestion

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Thu Mar 29 12:04:13 CDT 2012 

Hi Mike, all,

A patch and a suggestion for goodies below.

A lot of people seem to use Radiator with EduRoam and after two
debugging sessions, the first to find the cause why it's not working
for a user and the 2nd to apply the below patch, things are significantly
starting to improve for a couple of users who's IdPs send out weird
atttributed incl. VLAN asignments etc.

Not sure if we should pass down all section 5.7.18 ref.pdf options
down from the AuthDNSROAM patch below, but these two seem essential
as having them in and not working might lead to unexpected results.

My somehow excessive attribute filter list fuer Eduroam currently is
 	AllowInReply            User-Name, \
 				Class, \
 				Framed-Protocol, \
 				Service-Type, \
 				EAP-Message, \
 				Message-Authenticator, \
 				MS-MPPE-Send-Key, \
 				MS-MPPE-Recv-Key, \
 				MS-CHAP-Domain, \
 				MS-CHAP2-Success, \
 				Proxy-State

with Framed-Protocol at least being excessive and should
probably be static and Service-Type probably be restricted.

I wonder if others have a comment on that list; I have been told
another (open source) radius software comes with a pre-defined
list but have not checked, so I think putting that into goodies,
if not there yet, for AuthDNSRoam/Eduraom samples would be an
excellent idea:)


Special thanks go to Stefan Winter and Ronald van der Pol for
the debugging sessions to figure out the VLAN problem while here
at IETF83.

Apart from that Radiator seems to do great wrt to DNSRoam and
I am looking forward for the draft to be updated and the latest
things that have been offically assigned to be sorted.  Great!
Thanks a lot for that!

Thanks,
/bz

--- AuthDNSROAM.pm.orig 2011-09-29 21:51:05.000000000 +0000
+++ AuthDNSROAM.pm      2012-03-29 16:16:09.000000000 +0000
@@ -285,6 +285,7 @@ sub addRoute
           (qw(Address Transport Protocol Port UseTLS SRVName

               StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled
+             StripFromReply AllowInReply
               NoForwardAuthentication NoForwardAccounting AllowInRequest

               NoreplyTimeout IgnoreReject 
@@ -390,6 +391,7 @@ sub handle_request
                  (map {defined $self->{$_} ? ($_ => $self->{$_}) : ()}
                   (qw(Port Secret
                       StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled
+                     StripFromReply AllowInReply
                       NoForwardAuthentication NoForwardAccounting AllowInRequest
                       NoreplyTimeout IgnoreReject
                       IgnoreAccountingResponse MaxBufferSize 
@@ -414,6 +416,7 @@ sub handle_request
                  # Copy parameters from $self:
                  (map {defined $self->{$_} ? ($_ => $self->{$_}) : ()}
                   (qw(StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled
+                     StripFromReply AllowInReply
                       NoForwardAuthentication NoForwardAccounting AllowInRequest
                       AuthPort AcctPort Secret Retries RetryTimeout UseOldAscendPasswords
                       ServerHasBrokenPortNumbers ServerHasBrokenAddresses IgnoreReplySignature

-- 
Bjoern A. Zeeb                                 You have to have visions!
          Stop bit received. Insert coin for new address family.

More information about the radiator mailing list