At 12:30 AM 5/29/2002 -0400, Eric Reischer wrote:
>Hi all. I'm using the 0.5 release on a Linux machine, and I can't seem to
>get the Ascend-Data-Filter attribute to function properly. If I put two
>lines such as:
>DEFAULT Auth-Type := ldap
> Framed-Protocol = PPP,
> <more attributes here>
> Ascend-Data-Filter = "generic in drop 0 0 0",
> Ascend-Data-Filter = "generic out drop 0 0 0"
>freeradius loads properly, but obviously I can't transfer any data once I
>connect because the filters are blocking all incoming and outgoing
>traffic. But my original intent was to only allow users to connect to our
>web server, specified here as 192.168.0.5 (the second two lines are for
>the DNS service):
>[226] Ascend-Data-Filter = "ip in forward dstip 192.168.0.5/24 tcp
>dstpost = 80",
>[227] Ascend-Data-Filter = "ip out forward dstip 192.168.0.5/24 tcp
>srcpost = 80 1",
>[228] Ascend-Data-Filter = "ip in forward dstip 192.168.0.15/24 tcp
>dstpost = 53",
>[229] Ascend-Data-Filter = "ip out forward dstip 192.168.0.15/24 tcp
>srcpost = 53 1",
>(I put in the line numbers here to follow the error easier). And I'd put
>these attributes where the <more attributes here> entry is above. However
>with these entries in /raddb/users I get the error:
>Tue May 28 23:35:35 2002 : Error: //etc/raddb/users[227]: Syntax error:
>Previous line is missing a trailing comma for entry DEFAULT
Yes, this is a misleading message. It's been fixed in the current CVS
versions. It actually refers to the server not being able to parse your
Ascend-Data-Filter syntax.
You'll also want to use the += operator to allow multiple attributes of
the same type.
>So I did some troubleshooting and commented out all but one of the ip
>filters, and still got the error. The only way I got the error message to
>go away was by deleting out all of the string except for the "ip in
>forward" part. As soon as I put in "dstip" it gave me that syntax error
>again. So I went into the dictionary.ascend file and looked at the
>Ascend-Data-Filter data type, which was set to abinary, so I tried
>changing that to type string, and radiusd loaded fine with no syntax
>errors, but obviously the Ascend Max I'm using didn't like the data it got
>as part of the radius reply. Is there some flaw in the abinary data type
>that's mis-interpreting the data filter as syntax errors??
dstpost is a typo in the examples listed in the 'dictionary.ascend'. It
should be 'dstport'.
Try changing that, and it should work.
Also, just to verify that filters can be parsed, try the following rules:
Ascend-Data-Filter += "ip in forward 0"
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
