cancel
Showing results for 
Search instead for 
Did you mean: 

Catch - All User Realm for unknown User Suffixes

th
Not applicable

Catch - All User Realm for unknown User Suffixes

So, we need to handle unknown user suffixes to a catch-all user Realm, which in turn proxies to upstream RADIUS servers. We need to do this for external organizations to be able to use our WiFi using their home credentials (we want to participate in eduroam, https://www.eduroam.org/).

So, the setup is like this:

Known user suffix (xxxx@our-organization.org) --> "User may specify the realm name as a username suffix" checked --> correct user realm is chosen --> Done. Doesn't work for unknown suffixes / suffixes that don't match an existing Realm of course.

Now, if I uncheck "User may specify the realm name as a username suffix" I can proxy ALL RADIUS requests, which I don't want for 'local' requests, i.e. requests from xxxx@our-organization.org.

If I check ""User may specify the realm name as a username suffix" I cannot use unknown suffixes.

But, how would I authenticate requests with a suffix @our-organization.org locally and proxy all the other requests? Can this be done with Policy Secure?

TL;DR

.) xxxx@our-organization.org needs to be authenticated against our LDAP directory
.) xxxx@unknown.org needs to be proxied to upstream RADIUS.

Same authentication protocol set in both cases.

I don't think so but would like to have a second opinion.
1 REPLY 1
Highlighted
Moderator

Re: Catch - All User Realm for unknown User Suffixes

You are correct. There is no option for unknown suffixes in PPS today.

This feature has been asked for in the past by large education customers using EduRoam. I "think' an enhancement request has been filed for this, but I do not know with 100% certainty. I would suggest you reach out to your account team and ask them to file the request for you or add your account to the request.

Thanks

Craig Brauckmiller
Sr. Escalation Engineer