...
| Code Block |
|---|
client antarctica-flr-1 {
ipaddr = 172.20.1.2
netmask = 32
secret = secretstuff
require_message_authenticator = yes
shortname = antarctica-flr-1
nastype = other
virtual_server = eduroam
}
|
CUI for eduroam IdP
To use the Chargeable-User-Identity (CUI) you must already use the Operator-Name attribute. This documentation is only for FreeRADIUS 3.0.X release.
Modify the log module
Edit "eduroam_cui_log" file in the mods-available/ subdirectory and add those lines for your inner virtual server :
| Code Block |
|---|
...
linelog cui_inner_log {
# filename = syslog
filename = ${logdir}/radius.log
format = ""
reference = "inner_auth_log.%{%{reply:Packet-Type}:-format}"
inner_auth_log {
Access-Accept = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=OK#"
Access-Reject = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=FAIL#"
}
} |
Using policy and module in your eduroam-inner-tunnel virtual server
Add 'cui-inner' (policy already defined, you don't have to change it) and 'cui_inner_log' in post-auth section :
| Code Block |
|---|
server eduroam-inner-tunnel {
...
post-auth {
reply_log
cui_inner_log
cui-inner
Post-Auth-Type REJECT {
reply_log
cui_inner_log
}
}
...
} |
That's it! Now your server is prepared for eduroam IdP operation! You can add users to your "database" by amending the "users" file; if you do, you will unfortunately have to restart FreeRADIUS so that it picks up the change.
...