Time for action – rejecting requests without a realm
The following steps will demonstrate how to reject requests without a realm:
- Edit the
proxy.conffile under the FreeRADIUS configuration directory and ensure that themy-org.comrealm does not have thenostripdirective (it was included in the previous exercise). - Edit the
sites-enabled/defaultfile and add the following unlang code just after thesuffixentry in theauthorizesection. This will reject any requests with usernames without a realm:if( request:Realm == NULL ){ update reply { Reply-Message := "Username should be in format username@domain" } reject } - Restart the FreeRADIUS server in debug mode and try to authenticate as alice. The authentication request should fail.
- Authenticate as
alice@my-org.com. The request should pass.
What just happened?
We have managed to reject any authentication request where a username does not contain a realm.
We had to put the unlang code after the suffix module because...
