...
As can be seen by the examples, none of these contains the crucial @-sign , and thus none should not be sent upstream to the national proxies. Permitting your users to connect to eduroam on campus or at their student accommodation handled by your own RADIUS servers using a non-realm username will only lead to a bad user experience when your users doing so attempt to roam off-site (like at other institutions in your location or even abroad) because the realm-less username cannot be routed by those other institutions.
This means that you must reject any requests not containing a realm element outright to enforce the NAI format, even if they are your own users. This should effectively drive the user to the help desk or the student help pages, and your eduroam documentation should explain clearly why the NAI format is necessary. With appropriate tools and settings (such as the eduroam CAT and the geteduroam app togetherApp together), enforce the correct format from the start and reduce future calls to the help desk from off-site roamers (or roamers at student facilities where eduroam is provided by a third party).
...
FreeRADIUS 3.x contains a policy called ‘filter‘filter_username’ username’ in the ‘policy‘policy.d/filter’ filter’ file in the main FreeRADIUS configuration directory. While this policy checks for the most common errors, newer versions of the file do not check for the absence of a realm element. Instead, you may wish to amend the filter file to add this additional policy function:
...
| Code Block | ||
|---|---|---|
| ||
<Handler Realm = /@{1}[-a-zA-Z0-9_]+(\.[-a-zA-Z0-9_]+)+$/, Called-Station-Id = /\:eduroam$/ >
Identifier eduroam-visitors
AuthLog AUTHLOG
AccountingHandled
AuthBy Proxy-To-eduroamUKeduroam
</Handler>
<Handler User-Name = /[^\@]/, Called-Station-Id = /\:eduroam$/ >
AuthLog AUTHLOG
<AuthBy INTERNAL>
AuthResult REJECT
RejectReason Rejected: No @ in User-Name
</AuthBy>
</Handler> |
...