siteadmin:basic_freeradius_orps_configuration
This is an old revision of the document!
Table of Contents
Changed files
- clients.conf
- proxy.conf
- sites-available → govroam
- mods-available → govroam_logs
Delete any other links in the sites-enabled directory ('status' can be left/added if you're allowing status checks). Attempting to run 'govroam' and 'default' will likely result in problems stating the RADIUS server.
clients.conf:
# Configure the JISC NRPS as a client as it will be sending request from your people abroad.
client NAS {
secret = something
ipaddr = 10.10.20.1
}
client roaming0 {
secret = something
ipaddr = 192.168.0.1
}
# Configure your local IdP as a client. (Omit for Visited Only ORPS)
client localidp1 {
secret = something
ipaddr = 10.10.10.31
}
proxy.conf:
# Blackhole (REJECT) where the realm is missing.
realm NULL {
}
# Realms that don't match any other listed send to the pool of govroam servers
realm "~.+$" {
auth_pool = govroam
nostrip
}
# Pool of govroam servers
home_server_pool govroam {
home_server = roaming0
type = client-port-balance
}
#Govroam server configuration
home_server roaming0 {
ipaddr = roaming0.govroam.uk
port = 1812
type = auth
secret = something
status_check = status-server # Checks status of govroam server
}
# Handle requests for the realm 'localnet'. (Omit for Visited Only ORPS)
realm localnet {
nostrip
auth_pool = ad_auth
}
server_pool ad_auth {
type = client-port-balance
home_server = localidp1
}
home_server localidp1 {
status_check = status-server
ipaddr = 10.10.10.31
secret = something
port = 1812
type = auth
}
sites-available->govroam:
server govroam {
# Listen on the default port on all IP addresses
listen {
type = auth
ipaddr = *
}
authorize {
preprocess
update request {
Operator-Name := 1your.domain # Adds the Operator Name attribute to the request.
}
auth_log
suffix # Identifies the realm
files
}
authenticate {
}
preacct {
preprocess
suffix
}
accounting {
detail
}
post-auth {
# Lots of logging
reply_log
f_ticks
govroam_log
Post-Auth-Type REJECT {
attr_filter.access_reject
reply_log
f_ticks
}
}
pre-proxy {
pre_proxy_log
if("%{Packet-Type}" != "Accounting-Request") {
attr_filter.pre-proxy
}
}
post-proxy {
post_proxy_log
attr_filter.post-proxy
}
}
And then create a symlink from sites-enabled/govroam to sites-available/govroam.
mods-available->govroam_logs:
# F-TICKS
linelog f_ticks {
filename = syslog
format = ""
reference = "f_ticks.%{%{reply:Packet-Type}:-format}"
f_ticks {
Access-Accept ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=OK#"
Access-Reject ="F-TICKS/govroam/1.0#REALM=%{Realm}#VISCOUNTRY=GB#VISINST=%{Operator-Name}#CSI=%{Calling-Station-Id}#RESULT=FAIL#" # Remove when sending to Jisc NRPS
}
}
linelog govroam_log {
filename = syslog
format = ""
reference = "govroam_log.%{%{reply:Packet-Type}:-format}"
govroam_log {
Access-Accept = "govroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{EAP-Message}:-No EAP Message}#RESULT=OK#"
Access-Reject ="govroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No Failure Reaso
n}#RESULT=FAIL#"
}
}
And then create a symlink from mods-enabled/govroam_logs to mods-available/govroam_logs.
siteadmin/basic_freeradius_orps_configuration.1619607010.txt.gz · Last modified: 2021/04/28 10:50 by admin