Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » siteadmin » realm_filtering_for_ms_nps
siteadmin:realm_filtering_for_ms_nps

Realm filtering for MS NPS

Unlike other RADIUS servers, NPS doesn't have an explicit REJECT option. With other RADIUS server you could add specific matches to say 'If the realm is X then REJECT' to filter out unwanted realms. MS NPS needs the logic to be 'If the realm is valid and not a bad one then authenticate'.

Thus a regular expression (regex) is needed to match for valid realms only. Matching syntactically valid realms is relatively easy but excluding realms is harder so we use negative lookaheads, for example: 

^(?!.*\.hotmail\.com)([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$

This should handle most of the cases listed here.

How to stop proxying your own realm when handling both eduroam and govroam on the same server

There's a particular case where this is handy. If an NPS server is being used for both eduroam and govroam traffic then the rule logic becomes a bit harder.

Stepping back a bit: if a RADIUS server that just handles eduroam then the rules are easy:

  1. If realm matches our own, authenticate locally.
  2. Proxy all other valid realms to Jisc.
  3. Reject the rest.

When you add govroam then you need to keep the traffic separate so that eduroam traffic goes to the Jisc eduroam NRPS and the govroam traffic goes to the Jisc govroam NRPS. The way to do this is to match the SSID portion of the CSI for 'eduroam' or 'govroam' and include this in the rules. Thus, for the case of a University adding govroam:

  1. If realm matches our own and SSID is 'eduroam' then authenticate locally.
  2. If realm is valid and SSID is 'eduroam' then proxy to Jisc eduroam NRPS.
  3. If realm is valid and SSID is 'govroam' then proxy to Jisc govroam NRPS.
  4. Reject the rest.

However, here you can see a case that's inappropriate: if the realm is their own and the SSID is govroam then the traffic is proxied to the Jisc govroam NRPS. So, for a site 'camford.ac.uk', users such as 'fred@camford.ac.uk' who use the govroam SSID by mistake have their traffic sent to the Jisc govroam NRPS. It's risky (and specifically banned in the Tech Spec) if sites are sending their own user traffic to Jisc. We're not likely to try to send it back because such sites are Visited Only for govroam but stopping it would eliminate any risks. It would also help sites to spot patterns of behaviour with their users.

This is where the regex comes in. The third rule becomes:

  • If realm is valid, is not our own and the SSID is 'govroam' then proxy to Jisc govroam NPRS.

which means that, in the above case, inappropriate auths are now rejected by default. 

^(?!.*\.ownrealm\.ac\.uk)([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$

Replace 'ownrealm.ac.uk' with your own realm.

siteadmin/realm_filtering_for_ms_nps.txt · Last modified: 2023/02/10 13:44 by admin