Re: Auth by NAS-Identifier using unlang
I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/06/2013 02:31 AM, Alan Buxey wrote: I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang The OP said Fedora. Fedora has never had a freeradius2 package (only ever existed in RHEL 5.x). Fedora has had 2.x for many years. So either the OP is using an extremely old version, doesn't know what OS they're on, or is trying to blame the package for a failure to read the doc. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth by NAS-Identifier using unlang
I was thinking this should be easy, but it's been two weeks and I give up...
This is what I want to do: My NAS, (a WiFi AP), has two SSIDs: staff and
guests. I want mutual exclusivity.
My /etc/raddb/users file contains something like this:
abc Cleartext-Password:=xyz
Local-Group=staff
I've created an attribute in my /etc/raddb/dictionary file:
ATTRIBUTE Local-Group 3000string
In my /etc/raddb/sites-enabled/default file, in the authorize section, I've
got this:
if ( Local-Group != NAS-Identifier ) {
update reply {
Reply-Message := You may not connect to %{NAS-Identifier} AP.\r\n
}
reject
}
My access request looks something like this: (edited for brevity.)
User-Name = abc
NAS-IP-Address = 192.168.8.253
NAS-Port = 0
NAS-Identifier = guests
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = ...
Called-Station-Id = ...
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =...
State = ...
Aruba-Essid-Name = test
Aruba-Location-Id = wifi
Aruba-AP-Group = Our WiFi
Running radiusd -X I get:
:
++? if (Local-Group != NAS-Identifier )
(Attribute Local-Group was not found)
? Evaluating (Local-Group != NAS-Identifier ) - FALSE
++? if (Local-Group != NAS-Identifier ) - FALSE
:
And it's clear Local-Group is always empty. :-(
Some things I've tried:
-Moved code to post-auth section instead of authorize.
-Different attributes instead of private dictionary. (i.e. Group-Name)
-Running an executable, (actually works, but selinux appears to be a
problem?)
-Changing the test from != to == makes things work as expected, so if the
comparison will actually work, I'm good.
I'm clearly not understanding something
-Joseph
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) - FALSE ++? if (Local-Group != NAS-Identifier ) - FALSE : And it's clear Local-Group is always empty. :-( Yeah you've inserted it into the reply list, and you're looking for it in the request list abc Cleartext-Password:=xyz, Local-Group := 'NAS-Identifier' if (control:Local-Group != 'NAS-Identifier') -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Hi, I was thinking this should be easy, but it's been two weeks and I give up... well, depends how you do itif you do it easy it is easy, no? users file abc Cleartext-Password := xyz, NAS-Identifier = staff Reply-Message Welcome on-board staff member dont forget, if this is 802.1X etc then your users wont see the reply-message...so dont rely on it for telling them things! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Changing the Local-Group into the request still makes control:Local-Group
empty.
abc Cleartext-Password:=xyz, Local-Group:=staff
NAS Sends this:
User-Name = abc
:
NAS-Identifier = resident
if ( control:Local-Group != NAS-Identifier ) {
Diagnostic says:
++? if (control:Local-Group != NAS-Identifier ) - FALSE
(staff != resident) should be True, but control:Local-Group is empty.
:-(
On Mon, Aug 5, 2013 at 4:14 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
Running radiusd -X I get:
:
++? if (Local-Group != NAS-Identifier )
(Attribute Local-Group was not found)
? Evaluating (Local-Group != NAS-Identifier ) - FALSE
++? if (Local-Group != NAS-Identifier ) - FALSE
:
And it's clear Local-Group is always empty. :-(
Yeah you've inserted it into the reply list, and you're looking for it in
the request list
abc Cleartext-Password:=xyz, Local-Group := 'NAS-Identifier'
if (control:Local-Group != 'NAS-Identifier')
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Diagnostic says:
++? if (control:Local-Group != NAS-Identifier ) - FALSE
Assuming you're not looking for a literal value 'NAS-Identifier', you want
%{NAS-Identifier}.
If this is a new deployment you should use current HEAD revision in Master.
Then you can use the debug_attr expansion to look at list state.
update request {
Tmp-String-0 := %{debug_attr:control:}
}
Also could you please stop posting snippets of debug output and paste the whole
thing...
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
The following appears to now work, but I don't understand some things:
files
if (control:Local-Group != %{NAS-Identifier} ) {
Why does control:Local-Group not need to be enclosed in %{ }, but
NAS-Identifier does?
And why does %{ } content need to be within quotes, when the documentation
doesn't say anything about them needing to be in quotes?
It's clear I must have a call to files prior to this in order to populate
the control list, right?
On Mon, Aug 5, 2013 at 5:03 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
Diagnostic says:
++? if (control:Local-Group != NAS-Identifier ) - FALSE
Assuming you're not looking for a literal value 'NAS-Identifier', you want
%{NAS-Identifier}.
If this is a new deployment you should use current HEAD revision in
Master. Then you can use the debug_attr expansion to look at list state.
update request {
Tmp-String-0 := %{debug_attr:control:}
}
Also could you please stop posting snippets of debug output and paste the
whole thing...
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 5 Aug 2013, at 22:37, Joseph Perrin jos...@lifeonthestreet.org wrote:
The following appears to now work, but I don't understand some things:
files
if (control:Local-Group != %{NAS-Identifier} ) {
Why does control:Local-Group not need to be enclosed in %{ }, but
NAS-Identifier does?
In 2.x.x bareword left operand is assumed to be an attribute reference. Right
bareword operand is assumed to be a number literal, or a member of the set of
string values associated with an integer attribute.
LHS/RHS operands are not interchangeable in their roles.
And why does %{ } content need to be within quotes
It's a string expansion, string expansions only function inside double quotes.
This is similar to variable expansion in most scripting languages.
, when the documentation doesn't say anything about them needing to be in
quotes?
Man unlang
VARIABLES
Run-time variables are referenced using the following syntax
%{Variable-Name}
Note that unlike C, there is no way to declare variables, or to refer to
them outside of a string
context. All references to variables MUST be contained inside of a
double-quoted or back-quoted
string.
It's clear I must have a call to files prior to this in order to populate
the control list, right?
Yes.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Thank you. I now understand.
A stock install of freeRadius in Fedora, (i.e. via yum), does not provide a
man page for unlang. Had you not helped me, I'd simply not know.
On Mon, Aug 5, 2013 at 6:00 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
On 5 Aug 2013, at 22:37, Joseph Perrin jos...@lifeonthestreet.org wrote:
The following appears to now work, but I don't understand some things:
files
if (control:Local-Group != %{NAS-Identifier} ) {
Why does control:Local-Group not need to be enclosed in %{ }, but
NAS-Identifier does?
In 2.x.x bareword left operand is assumed to be an attribute reference.
Right bareword operand is assumed to be a number literal, or a member of
the set of string values associated with an integer attribute.
LHS/RHS operands are not interchangeable in their roles.
And why does %{ } content need to be within quotes
It's a string expansion, string expansions only function inside double
quotes. This is similar to variable expansion in most scripting languages.
, when the documentation doesn't say anything about them needing to be
in quotes?
Man unlang
VARIABLES
Run-time variables are referenced using the following syntax
%{Variable-Name}
Note that unlike C, there is no way to declare variables, or to refer
to them outside of a string
context. All references to variables MUST be contained inside
of a double-quoted or back-quoted
string.
It's clear I must have a call to files prior to this in order to
populate the control list, right?
Yes.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/05/2013 08:49 PM, Joseph Perrin wrote: Thank you. I now understand. A stock install of freeRadius in Fedora, (i.e. via yum), does not provide a man page for unlang. Had you not helped me, I'd simply not know. Nonsense, the freeradius rpm installs the unlang man page. Please provide the exact installed rpm if you think otherwise. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
