Re: User-Name attribute being evaluated as regular expression???
Alan DeKok-4 wrote: bmccorkle wrote: I have an issue and haven't been able to find any online help. I thought I had freeradius working correctly but discovered yesterday that if a user's name starts with 'r' then they can't login. I setup an unlang if statement (in the default sites available) to handle whether the login is a computer, user, or pda request (I'm assuming this is the best way to do it). The statement copies the User-Name attribute over to a Stripped-User-Name attribute and manipulates the Stripped-User-Name as necessary. Normally when a user logs in it's in the format: DOMAIN\first.lastname. I created some attr_rewrite modules to strip the domain and period out of the username. You don't need to do that. You can just use regular expressions. It was working fine, but I discovered if Randy Hall logs in (User-Name = DOMAIN\randy.hall); Stripped-User-Name becomes: DOMAIN andy halll (domain is not removed, the r in his name disappears and the last letter seems to be doubled (I tried this with another user and it removed the r from his name and doubled the 's' at the end of his name as well). I think there's an issue with the attr_rewrite module. Grab the latest one in CVS it may be better. So what is going on exactly? I'm not an expert but it seems like the attribute is being evaluated as a regular expression??? No... I think your configuration is too complex. attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } You don't need this. The regular expression code unlang can do all of this. It's not clear to me what you're trying to do, because your configuration is so complex. Just write a bunch of regular expressions to match what you want, and use %{1}, etc. Try writing a few *simple* examples of what you want to do. Odds are you can write a simple regex expression that does everything. You don't need attr_rewrite. e.g. for : DOMAIN\randy.hall if (User-Name =~ /^DOMAIN\\(.*)/) { update request { Stripped-User-Name := %{1} } } I don't see why it has to be more complex than that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You were right about using the regular expressions instead of the attr_rewrite statements. It took me a day to figure out regular expressions (hadn't touched them in a couple of years) but it greatly simplified things and it's running smoother. We had started with version 1 of Freeradius for our testing and then I built another box with version 2. When I configured the new box I had simply moved over the attr_rewrite statements because the old box was working with them (or seemed to at least). One last question though. I'm using 'if' statements to evaluate the User-Name variable for the different various formats the username might be in. Is it possible with unlang to evaluate the regular expression with a switch statement? For example, my 'if' statement... #USER LOGIN (DOMAIN\\FIRST.LAST) if (User-Name =~ /DOMAIN[\\]{1,2}(.*)/i) { update request { Stripped-User-Name := %{1} } } #HOST LOGIN (HOST/COMPUTERNAME.DOMAIN.EDU) elsif (User-Name =~ /host\/([a-z0-9\-]*)[\.]{1}DOMAIN[\.]{1}EDU/i) { update request { Stripped-User-Name := %{1}$ } } #PDA LOGIN ([EMAIL PROTECTED]) elsif (User-Name =~ /([A-Z0-9\-\.]*)@/i) { update request { Stripped-User-Name := %{1} } } #GIVE ONE LAST TRY elsif (User-Name =~ /(.*)/i) { update request { Stripped-User-Name := %{1} } } Can this be rewritten in a Switch statement like so.. Switch User-Name { Case (/REGULAR EXPRESSION/i) { } Case (/REGULAR EXPRESSION2/i { } } I didn't see anything in the unlang manual (or wasn't understanding it correctly) so I didn't try it. But if it's not, I think it would be nice to have. -- View this message in context: http://www.nabble.com/User-Name-attribute-being-evaluated-as-regular-expressiontp16850734p16985248.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User-Name attribute being evaluated as regular expression???
Hello, I have an issue and haven't been able to find any online help. I thought I had freeradius working correctly but discovered yesterday that if a user's name starts with 'r' then they can't login. I setup an unlang if statement (in the default sites available) to handle whether the login is a computer, user, or pda request (I'm assuming this is the best way to do it). The statement copies the User-Name attribute over to a Stripped-User-Name attribute and manipulates the Stripped-User-Name as necessary. Normally when a user logs in it's in the format: DOMAIN\first.lastname. I created some attr_rewrite modules to strip the domain and period out of the username. It was working fine, but I discovered if Randy Hall logs in (User-Name = DOMAIN\randy.hall); Stripped-User-Name becomes: DOMAIN andy halll (domain is not removed, the r in his name disappears and the last letter seems to be doubled (I tried this with another user and it removed the r from his name and doubled the 's' at the end of his name as well). So what is going on exactly? I'm not an expert but it seems like the attribute is being evaluated as a regular expression??? I commented out all the attr_rewrite modules except for the one that copies the user-name over to stripped-user-name and noticed the stripped-user-name was still incorrect in my ldap search. .attr_rewrite section in RADIUSD.CONF. attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^(host/.*) searchin = packet new_attribute = no replacewith = %{1}$ } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = ^(.*[\\/]+) replacewith = max_matches = 1 } attr_rewrite remove-domain { attribute = Stripped-User-Name new_attribute = no searchfor = \.DOMAIN\.EDU searchin = packet replacewith = max_matches = 1 } attr_rewrite pda-fix { attribute = Stripped-User-Name new_attribute = no searchfor = @DOMAIN searchin = packet replacewith = max_matches = 1 } attr_rewrite strip-period { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = [.] replacewith = max_matches = 1 } .If statement in default under sites-available. #Host Login if (User-Name =~ /^(host\/.*)/i) { copy.user-name strip-realm-name remove-domain } #User Login elsif (User-Name =~ /^(DOMAIN\\.*)/i) { copy.user-name strip-realm-name strip-period } #PDA Login elsif (User-Name =~ /(@DOMAIN.EDU)/i) { copy.user-name remove-domain strip-period } else { copy.user-name strip-period } .OUTPUT. Waking up in 3.9 seconds. User-Name = DOMAIN\\randy.hall Framed-MTU = 1400 Called-Station-Id = 001a.e210.7420 Calling-Station-Id = 000e.3558.6ea4 Service-Type = Login-User Message-Authenticator = 0x3ee4bc7ed916ea6dc3bdb3d527346d95 EAP-Message = 0x0202001701474148414e4e415c72616e64792e68616c6c NAS-Port-Type = Wireless-802.11 NAS-Port = 3649 NAS-IP-Address = 192.168.0.229 NAS-Identifier = Company +- entering group authorize ++[preprocess] returns ok expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radacct/192.168.0.229/auth-detail-20080424 rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.229/auth-detail-20080424 expand: %t - Thu Apr 24 10:18:40 2008 ++[auth_log] returns ok ++? if (User-Name =~ /^(host\/.*)/i) ? Evaluating (User-Name =~ /^(host\/.*)/i) - FALSE ++? if (User-Name =~ /^(host\/.*)/i) - FALSE ++? elsif (User-Name =~ /^(DOMAIN\\.*)/i) ? Evaluating (User-Name =~ /^(DOMAIN\\.*)/i) - TRUE ++? elsif (User-Name =~ /^(DOMAIN\\.*)/i) - TRUE ++- entering elsif (User-Name =~ /^(DOMAIN\\.*)/i) expand: %{User-Name} - DOMAIN\randy.hall copy.user-name: Added attribute Stripped-User-Name with value 'DOMAIN\randy.hall' +++[copy.user-name] returns ok expand: ^(.*[\/]+) - ^(.*[\/]+) strip-realm-name: Does not match: Stripped-User-Name = DOMAIN andy.halll +++[strip-realm-name] returns ok expand: [.] - [.] expand: - strip-period: Changed value for attribute Stripped-User-Name from 'DOMAIN andy.halll' to 'DOMAIN andy halll'
Re: vmps documentation?
Phil Mayers wrote: server vmps { ... stuff vmps { ... stuff mac2vlan.authorize If (!ok) { update reply { VMPS-VLAN-Name = Public } } } } If is wrong - it should be if - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ahhh, your right. Freeradius started right up after I fixed that. All those english classes ruined my programming skills :) Everything seems to be working, thanks Phil, Alan for all the help! -- View this message in context: http://www.nabble.com/vmps-documentation--tp16315996p16446927.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vmps documentation?
Phil Mayers wrote: Normally you simply configure the module correctly i.e. prefix the key with a * and reply items with = as per man rlm_passwd modules { passwd mac2vlan { filename = /etc/raddb/mac2vlan format = *MyMac:=VMPS-VLAN-Name hashsize = 100 } } ...then call that module in your unlang section: vmps { ... stuff # now call the passwd module mac2vlan } ...however, the vmps section is really a re-named post-auth section, and the rlm_passwd module does not have a post-auth handler; so you need (I think) to do this: vmps { ...stuff # call the passwd authorize method mac2vlan.authorize } This is not documented AFAICT, but I've seen Alan mention it in a mailing list post and the code seems to be present in 2.0.3 Ok, that let me get it working. I had to use mac2vlan.authorize instead of just the module name. Perhaps I should have mentioned I'm running 2.0.1 on FreeBSD (2.0.3 doesn't seem to be available on the ports collection yet). I still have one more problem. I want it to call the mac2vlan module and if the mac address isn't found in the file, assign our public vlan group to the VMPS-VLAN-Name attribute. So I am trying to get the module return code from mac2vlan. But when I do the following... server vmps { ... stuff vmps { ... stuff mac2vlan.authorize If (!ok) { update reply { VMPS-VLAN-Name = Public } } } } The server refuses to start at all until I comment out the if statement. Did I forget to read something on module return codes or am I calling it wrong? -- View this message in context: http://www.nabble.com/vmps-documentation--tp16315996p16418725.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vmps documentation?
Ok, that info helped me out but not all the way. I created another virtual server 'vmps' in the sites available folder and linked the file to sites-enabled. I got this code off of another post here that uses a sql db... vmps { # the mac address can be in several places... if (%{VMPS-Ethernet-Frame} =~ /0x(..)(..)(..)(..)(..)(..).*/) { update request { MyMac = %{1}:%{2}:%{3}:%{4}:%{5}:%{6} } } else { update request { MyMac = %{%{VMPS-Cookie}:-%{VMPS-MAC}} } } # required VMPS reply attributes update reply { VMPS-Packet-Type = VMPS-Join-Response VMPS-Cookie = %{MyMac} } # lookup the zone in sql update reply { VMPS-VLAN-Name = %{sql:select ... where mac='%{MyMac}'} } } I created a text file with Mac Addresses and Vlan Groups from what rlm_passwd says but I'm still having trouble understanding how to make the comparison. If I do this... update reply { VMPS-VLAN-Name = VLAN5 } then the request gets properly assigned to VLAN 5. But how do I modify this line to check the text file for the mac to vlan mapping? Nothing I tried seemed to work. I'm trying to do something like this... If Mac Address = Mac address in Text File then VMPS-VLAN-NAME = VLAN Group in Text File Else VMPS-VLAN-NAME = Guest Access Group -- View this message in context: http://www.nabble.com/vmps-documentation--tp16315996p16396500.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vmps documentation?
Can someone point me to documentation on how to use vmps in freeradius 2? I've googled for documents but only find a few discussions on the topic (mostly from this forum). I get the part on adding the listen section in radiusd.conf so the server listens for vmps requests. However, I'm having trouble understanding the actual coding to do the comparison of the mac address in the request against the mac address list. Also, the one or two examples I have seen seem to use a mysql database to store the mac addresses. Can freeradius use a simple text file to store the mac addresses for comparison or do they need to be stored in a database? -- View this message in context: http://www.nabble.com/vmps-documentation--tp16315996p16315996.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html