Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » siteadmin » freeradius_operator-name_setting
siteadmin:freeradius_operator-name_setting

This is an old revision of the document!

Table of Contents

FreeRADIUS Operator-Name Setting

Work in progress

Basic O-N setting

This configuration simply updates the Operator-Name value in the request packets. 

server govroam {
...
        authorize {
...
                update request {
                        Operator-Name := 1your.domain
                }
...

RFO O-N Setting

As an RFO you're in a position to rewrite the Operator-Name in the outer RADIUS tunnel. This can be useful if your connected sites aren't setting it themselves, or are setting it wrongly. Ideally each site should set it appropriately because some sites might have multiple O-Ns in use and are in the best position to set them accurately. However, some RADIUS servers (NPS in particular) can't set O-N.

Best case is that all sites everywhere set the correct O-N and it's proxied untouched to Jisc. This requires that all connect sites run appropriate software which is configured correctly.

Second best case is that the RFO sets the missing O-N for sites as the packets are proxied through them.

Next best case is that the RFO sets a single O-N for all packets proxied. (see above section on Basic O-N setting).

Worst case is that the O-N isn't set and proxied packets contain no identification.

So, here we'll deal with the Second best case - setting missing O-N.

First challenge is how to identify which site is which when proxying. Incoming connections can only be identified by their IP address. Fortunately FreeRADIUS provides a way to add attributes internally to incoming connections. 

client holby-nhs-uk-0 {
        ipaddr = server1.holby.nhs.uk
        secret = charlieisaseriealkiller
        operator = "1holby.nhs.uk" # Add this internal variable
        require_message_authenticator = yes
}

Now 

%{client:operator}

is available in the main configuration as a variable containing an O-N for each client.

Now use 

                update request {
                        Operator-Name = "%{client:operator}"
                }

To set the O-N for each incoming request. The '=' means that it will assign only if Operator-Name isn't already set to something. Thus, if the client site is doing the right thing and setting the O-N then it won't be overwritten. If it isn't then the value of the variable you've assigned will be inserted.

Using 

                update request {
                        Operator-Name = "%{%{client:operator}:-1nhs.uk}"
                }

which will set, in preference, the existing O-N, the client operator and then a default of '1nhs.uk', if neither of the others are set. You should set the default to be your own site in form of '1<realm>' where the <realm> is your primary realm.

Set the 'operator' in the config for each client you want to override the O-N for. You can set the same 'operator' multiple times.

siteadmin/freeradius_operator-name_setting.1662717451.txt.gz · Last modified: 2022/09/09 09:57 by admin