Differences

This shows you the differences between two versions of the page.

--- siteadmin:basic_freeradius_orps_configuration [2022/08/04 14:17] – admin
+++ siteadmin:basic_freeradius_orps_configuration [2024/11/21 15:00] (current) – admin
@@ Line 6: / Line 6: @@
   * mods-available -> govroam_logs
-Delete any other links in the sites-enabled directory ('status' can be left/added if you're allowing status checks). Attempting to run 'govroam' and 'default' will likely result in problems stating the RADIUS server.
+Delete any other links in the sites-enabled directory ('status' can be left/added if you're allowing status checks). Attempting to run 'govroam' and 'default' will likely result in problems starting the RADIUS server.
 ===clients.conf:===
 <code>
-# Configure the JISC NRPS as a client as it will be sending request from your people abroad.
+# Configure a Network Access Server (e.g. wireless controller) to accept traffic from.
 client  NAS {
@@ Line 17: / Line 17: @@
         ipaddr = 10.10.20.1
 }
+# Configure the JISC NRPS as a client as it will be sending request from your people abroad.
 client roaming0 {
         secret = something
         ipaddr = 192.168.0.1
+        operator = "NRPS"
 }
@@ Line 27: / Line 31: @@
         secret = something
         ipaddr = 10.10.10.31
+        operator = "1localnet"
 }
@@ Line 41: / Line 46: @@
 # Realms that don't match any other listed send to the pool of govroam servers
-realm "~.+$" {
+realm "~^[^@\. ]([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,6}$" {
     auth_pool = govroam
     nostrip
@@ Line 59: / Line 64: @@
     secret = something
     status_check = status-server # Checks status of govroam server
+    operator = "NRPS"
 }
@@ Line 78: / Line 85: @@
         port = 1812
         type = auth
+        operator = "1localnet"
 }
@@ Line 94: / Line 103: @@
         authorize {
                 preprocess
                 update request {
-                        Operator-Name := 1your.domain # Adds the Operator Name attribute to the request.
+                        Operator-Name = 1your.domain # Adds the Operator Name attribute to the request, if it doesn't already exist.
                 }
                 auth_log
@@ Line 118: / Line 127: @@
                 # Lots of logging
                 reply_log
-                f_ticks
+                # Only send F-TICKS to Jisc when proxying between sites.
+		if ( "%{home_server:operator}" != "NRPS" && "%{client:operator}" != "NRPS" && "%{request:Called-Station-Id}" =~ /:govroam$/) {
+  		  f_ticks
+		}
                 govroam_log
                 Post-Auth-Type REJECT {
                         attr_filter.access_reject
                         reply_log
-                        f_ticks
                 }
         }
@@ Line 146: / Line 157: @@
 <code>
-# F-TICKS
+# F-TICKS - only appropriate for Regional Federation Operators
 linelog f_ticks {
         filename = syslog
         format = ""
         reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
-f_ticks {
+        f_ticks {
-              Access-Accept ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#FEDID=XX#" # Replace XX with your supplied ID
+              Access-Accept ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#FEDID=XX#" # Replace XX with your supplied ID,
-}
+        }
@@ Line 206: / Line 216: @@
 </code>
+Once configured you can test using [[public:Testing Tools|eapol_test]]