Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » siteadmin » freeradius_operator-name_setting
siteadmin:freeradius_operator-name_setting

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
siteadmin:freeradius_operator-name_setting [2022/12/07 08:15] adminsiteadmin:freeradius_operator-name_setting [2025/03/11 15:39] (current) admin
Line 1: Line 1:
 ======FreeRADIUS Operator-Name Setting====== ======FreeRADIUS Operator-Name Setting======
  
-** Work in progress **+=====Basic O-N setting=====
  
-=====Individual Organisation O-N setting===== +This configuration simply updates the Operator-Name value in the request packets and is appropriate for Individual Organisations (not RFOs):
- +
-This configuration simply updates the Operator-Name value in the request packets.+
  
 <code> <code>
Line 22: Line 20:
 As an RFO you're in a position to rewrite the Operator-Name in the outer RADIUS tunnel. This can be useful if your connected sites aren't setting it themselves, or are setting it wrongly. Ideally each site should set it appropriately because some sites might have multiple O-Ns in use and are in the best position to set them accurately. However, some RADIUS servers (NPS in particular) can't set O-N. As an RFO you're in a position to rewrite the Operator-Name in the outer RADIUS tunnel. This can be useful if your connected sites aren't setting it themselves, or are setting it wrongly. Ideally each site should set it appropriately because some sites might have multiple O-Ns in use and are in the best position to set them accurately. However, some RADIUS servers (NPS in particular) can't set O-N.
  
-Best case is that all sites everywhere set the correct O-N and it's proxied untouched to Jisc. This requires that all connect sites run appropriate software which is configured correctly. +Best case is that all sites everywhere set the correct O-N and it's proxied untouched to Jisc. This requires that all connected sites run appropriate software which is configured correctly. 
  
 Second best case is that the RFO sets the missing O-N for sites as the packets are proxied through them. Second best case is that the RFO sets the missing O-N for sites as the packets are proxied through them.
Line 29: Line 27:
    
 Worst case is that the O-N isn't set and proxied packets contain no identification. Worst case is that the O-N isn't set and proxied packets contain no identification.
 +
 +So, here we'll deal with the Second best case - setting missing O-N.
  
 First challenge is how to identify which site is which when proxying. Incoming connections can only be identified by their IP address. Fortunately FreeRADIUS provides a way to add attributes internally to incoming connections. First challenge is how to identify which site is which when proxying. Incoming connections can only be identified by their IP address. Fortunately FreeRADIUS provides a way to add attributes internally to incoming connections.
Line 35: Line 35:
 client holby-nhs-uk-0 { client holby-nhs-uk-0 {
         ipaddr = server1.holby.nhs.uk         ipaddr = server1.holby.nhs.uk
-        secret = charlieisaserialkiller+        secret = charlieisaseriealkiller
         operator = "1holby.nhs.uk" # Add this internal variable         operator = "1holby.nhs.uk" # Add this internal variable
         require_message_authenticator = yes         require_message_authenticator = yes
 } }
 +
 +client holby-nhs-uk-1 {
 +        ipaddr = server2.holby.nhs.uk
 +        secret = lisaisaseriealkiller
 +        operator = "1holby.nhs.uk" # Add this internal variable
 +        require_message_authenticator = yes
 +}
 +
 </code> </code>
  
siteadmin/freeradius_operator-name_setting.1670400907.txt.gz · Last modified: 2022/12/07 08:15 by admin