Re: Auth by NAS-Identifier using unlang
I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/06/2013 02:31 AM, Alan Buxey wrote: I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang The OP said Fedora. Fedora has never had a freeradius2 package (only ever existed in RHEL 5.x). Fedora has had 2.x for many years. So either the OP is using an extremely old version, doesn't know what OS they're on, or is trying to blame the package for a failure to read the doc. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth by NAS-Identifier using unlang
I was thinking this should be easy, but it's been two weeks and I give up... This is what I want to do: My NAS, (a WiFi AP), has two SSIDs: staff and guests. I want mutual exclusivity. My /etc/raddb/users file contains something like this: abc Cleartext-Password:=xyz Local-Group=staff I've created an attribute in my /etc/raddb/dictionary file: ATTRIBUTE Local-Group 3000string In my /etc/raddb/sites-enabled/default file, in the authorize section, I've got this: if ( Local-Group != NAS-Identifier ) { update reply { Reply-Message := You may not connect to %{NAS-Identifier} AP.\r\n } reject } My access request looks something like this: (edited for brevity.) User-Name = abc NAS-IP-Address = 192.168.8.253 NAS-Port = 0 NAS-Identifier = guests NAS-Port-Type = Wireless-802.11 Calling-Station-Id = ... Called-Station-Id = ... Service-Type = Login-User Framed-MTU = 1100 EAP-Message =... State = ... Aruba-Essid-Name = test Aruba-Location-Id = wifi Aruba-AP-Group = Our WiFi Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) - FALSE ++? if (Local-Group != NAS-Identifier ) - FALSE : And it's clear Local-Group is always empty. :-( Some things I've tried: -Moved code to post-auth section instead of authorize. -Different attributes instead of private dictionary. (i.e. Group-Name) -Running an executable, (actually works, but selinux appears to be a problem?) -Changing the test from != to == makes things work as expected, so if the comparison will actually work, I'm good. I'm clearly not understanding something -Joseph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) - FALSE ++? if (Local-Group != NAS-Identifier ) - FALSE : And it's clear Local-Group is always empty. :-( Yeah you've inserted it into the reply list, and you're looking for it in the request list abc Cleartext-Password:=xyz, Local-Group := 'NAS-Identifier' if (control:Local-Group != 'NAS-Identifier') -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Hi, I was thinking this should be easy, but it's been two weeks and I give up... well, depends how you do itif you do it easy it is easy, no? users file abc Cleartext-Password := xyz, NAS-Identifier = staff Reply-Message Welcome on-board staff member dont forget, if this is 802.1X etc then your users wont see the reply-message...so dont rely on it for telling them things! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Changing the Local-Group into the request still makes control:Local-Group empty. abc Cleartext-Password:=xyz, Local-Group:=staff NAS Sends this: User-Name = abc : NAS-Identifier = resident if ( control:Local-Group != NAS-Identifier ) { Diagnostic says: ++? if (control:Local-Group != NAS-Identifier ) - FALSE (staff != resident) should be True, but control:Local-Group is empty. :-( On Mon, Aug 5, 2013 at 4:14 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) - FALSE ++? if (Local-Group != NAS-Identifier ) - FALSE : And it's clear Local-Group is always empty. :-( Yeah you've inserted it into the reply list, and you're looking for it in the request list abc Cleartext-Password:=xyz, Local-Group := 'NAS-Identifier' if (control:Local-Group != 'NAS-Identifier') -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Diagnostic says: ++? if (control:Local-Group != NAS-Identifier ) - FALSE Assuming you're not looking for a literal value 'NAS-Identifier', you want %{NAS-Identifier}. If this is a new deployment you should use current HEAD revision in Master. Then you can use the debug_attr expansion to look at list state. update request { Tmp-String-0 := %{debug_attr:control:} } Also could you please stop posting snippets of debug output and paste the whole thing... Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
The following appears to now work, but I don't understand some things: files if (control:Local-Group != %{NAS-Identifier} ) { Why does control:Local-Group not need to be enclosed in %{ }, but NAS-Identifier does? And why does %{ } content need to be within quotes, when the documentation doesn't say anything about them needing to be in quotes? It's clear I must have a call to files prior to this in order to populate the control list, right? On Mon, Aug 5, 2013 at 5:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Diagnostic says: ++? if (control:Local-Group != NAS-Identifier ) - FALSE Assuming you're not looking for a literal value 'NAS-Identifier', you want %{NAS-Identifier}. If this is a new deployment you should use current HEAD revision in Master. Then you can use the debug_attr expansion to look at list state. update request { Tmp-String-0 := %{debug_attr:control:} } Also could you please stop posting snippets of debug output and paste the whole thing... Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 5 Aug 2013, at 22:37, Joseph Perrin jos...@lifeonthestreet.org wrote: The following appears to now work, but I don't understand some things: files if (control:Local-Group != %{NAS-Identifier} ) { Why does control:Local-Group not need to be enclosed in %{ }, but NAS-Identifier does? In 2.x.x bareword left operand is assumed to be an attribute reference. Right bareword operand is assumed to be a number literal, or a member of the set of string values associated with an integer attribute. LHS/RHS operands are not interchangeable in their roles. And why does %{ } content need to be within quotes It's a string expansion, string expansions only function inside double quotes. This is similar to variable expansion in most scripting languages. , when the documentation doesn't say anything about them needing to be in quotes? Man unlang VARIABLES Run-time variables are referenced using the following syntax %{Variable-Name} Note that unlike C, there is no way to declare variables, or to refer to them outside of a string context. All references to variables MUST be contained inside of a double-quoted or back-quoted string. It's clear I must have a call to files prior to this in order to populate the control list, right? Yes. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Thank you. I now understand. A stock install of freeRadius in Fedora, (i.e. via yum), does not provide a man page for unlang. Had you not helped me, I'd simply not know. On Mon, Aug 5, 2013 at 6:00 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 5 Aug 2013, at 22:37, Joseph Perrin jos...@lifeonthestreet.org wrote: The following appears to now work, but I don't understand some things: files if (control:Local-Group != %{NAS-Identifier} ) { Why does control:Local-Group not need to be enclosed in %{ }, but NAS-Identifier does? In 2.x.x bareword left operand is assumed to be an attribute reference. Right bareword operand is assumed to be a number literal, or a member of the set of string values associated with an integer attribute. LHS/RHS operands are not interchangeable in their roles. And why does %{ } content need to be within quotes It's a string expansion, string expansions only function inside double quotes. This is similar to variable expansion in most scripting languages. , when the documentation doesn't say anything about them needing to be in quotes? Man unlang VARIABLES Run-time variables are referenced using the following syntax %{Variable-Name} Note that unlike C, there is no way to declare variables, or to refer to them outside of a string context. All references to variables MUST be contained inside of a double-quoted or back-quoted string. It's clear I must have a call to files prior to this in order to populate the control list, right? Yes. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/05/2013 08:49 PM, Joseph Perrin wrote: Thank you. I now understand. A stock install of freeRadius in Fedora, (i.e. via yum), does not provide a man page for unlang. Had you not helped me, I'd simply not know. Nonsense, the freeradius rpm installs the unlang man page. Please provide the exact installed rpm if you think otherwise. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html