There are several types of filtering that can be done.

• Syntax
• Known bad realms
• Typos

This is the easiest and captures the most problematic Username string. Simple typos such as @@, .. or illegal characters such as commas or underscores.

Use a regex to match a good realm.

• In the Service which proxies unknown requests to the NRPS
• Enter 'RADIUS:IETF' for the Type
• User-Name for the Name
• MATCHES_REGEX for the Operator
• (?i)^[^@]*@([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$ for the Value

We keep a list of known bad realms in the Govroam FAQ.

• In the Service which proxies unknown requests to the NRPS
• Select Matches ALL of the Following Conditions
• Add lines for each Realm where
  • Type is 'RADIUS:IETF'
  • Name is 'User-Name'
  • Operator is 'CONTAINS'
  • Value is the realm e.g. '@hotmail.com'.

These are harder to do as they require spotting and adding each in turn. You can use your logs to see which realms are being sent up to the NRPS and then decide which are typos for the realm(s) you look after locally. This is also a good way to help users who are having problems.

• In the Service which proxies unknown requests to the NRPS
• Select Matches ALL of the Following Conditions
• Add lines for each Realm where
  • Type is 'RADIUS:IETF'
  • Name is 'User-Name'
  • Operator is 'CONTAINS'
  • Value is the realm e.g. '@halby.nit'.

There's a particular case where this is handy. If a RADIUS server is being used for both eduroam and govroam traffic then the rule logic becomes a bit harder.

Stepping back a bit: if a RADIUS server that just handles eduroam then the rules are easy:

1. If realm matches our own, authenticate locally.
2. Proxy all other valid realms to Jisc.
3. Reject the rest.

When you add govroam then you need to keep the traffic separate so that eduroam traffic goes to the Jisc eduroam NRPS and the govroam traffic goes to the Jisc govroam NRPS/Federation Operator. The way to do this is to match the SSID portion of the CSI for 'eduroam' or 'govroam' and include this in the rules. Thus, for the case of a University adding govroam:

1. If realm matches our own and SSID is 'eduroam' then authenticate locally.
2. If realm is valid and SSID is 'eduroam' then proxy to Jisc eduroam NRPS.
3. If realm is valid and SSID is 'govroam' then proxy to Jisc govroam NRPS/Federation ORPS.
4. Reject the rest.

However, here you can see a case that's inappropriate: if the realm is their own and the SSID is 'govroam' then the traffic is proxied to the Jisc govroam NRPS. So, for a site 'camford.ac.uk', users such as 'fred@camford.ac.uk' who use the govroam SSID by mistake have their traffic sent to the Jisc govroam NRPS. It's risky (and specifically banned in the Tech Spec) if sites are sending their own user traffic to Jisc. We're not likely to try to send it back because such sites are Visited Only for govroam but stopping it would eliminate any risks. It would also help sites to spot patterns of behaviour with their users.

If the RADIUS server is capable of doing explicit rejects then a rule can be added that says:

• If the SSID is 'govroam' and the realm is ours then Reject

otherwise the third rule becomes:

• If realm is valid, is not our own and the SSID is 'govroam' then proxy to Jisc govroam NPRS.

which means that, in the above case, inappropriate auths are now rejected by default.