Re: User-Name attribute being evaluated as regular expression???
Alan DeKok-4 wrote:
bmccorkle wrote:
I have an issue and haven't been able to find any online help. I
thought
I had freeradius working correctly but discovered yesterday that if a
user's
name starts with 'r' then they can't login. I setup an unlang if
statement
(in the default sites available) to handle whether the login is a
computer,
user, or pda request (I'm assuming this is the best way to do it). The
statement copies the User-Name attribute over to a Stripped-User-Name
attribute and manipulates the Stripped-User-Name as necessary. Normally
when
a user logs in it's in the format: DOMAIN\first.lastname. I created
some
attr_rewrite modules to strip the domain and period out of the username.
You don't need to do that. You can just use regular expressions.
It was working fine, but I discovered if Randy Hall logs in (User-Name =
DOMAIN\randy.hall); Stripped-User-Name becomes:
DOMAIN andy halll (domain is not removed, the r in his name disappears
and
the last letter seems to be doubled (I tried this with another user and
it
removed the r from his name and doubled the 's' at the end of his name as
well).
I think there's an issue with the attr_rewrite module. Grab the
latest one in CVS it may be better.
So what is going on exactly? I'm not an expert but it seems like the
attribute is being evaluated as a regular expression???
No... I think your configuration is too complex.
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
You don't need this. The regular expression code unlang can do all
of this.
It's not clear to me what you're trying to do, because your
configuration is so complex. Just write a bunch of regular expressions
to match what you want, and use %{1}, etc.
Try writing a few *simple* examples of what you want to do. Odds are
you can write a simple regex expression that does everything. You don't
need attr_rewrite.
e.g. for : DOMAIN\randy.hall
if (User-Name =~ /^DOMAIN\\(.*)/) {
update request {
Stripped-User-Name := %{1}
}
}
I don't see why it has to be more complex than that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
You were right about using the regular expressions instead of the
attr_rewrite statements. It took me a day to figure out regular expressions
(hadn't touched them in a couple of years) but it greatly simplified things
and it's running smoother. We had started with version 1 of Freeradius for
our testing and then I built another box with version 2. When I configured
the new box I had simply moved over the attr_rewrite statements because the
old box was working with them (or seemed to at least). One last question
though. I'm using 'if' statements to evaluate the User-Name variable for
the different various formats the username might be in. Is it possible with
unlang to evaluate the regular expression with a switch statement? For
example, my 'if' statement...
#USER LOGIN (DOMAIN\\FIRST.LAST)
if (User-Name =~ /DOMAIN[\\]{1,2}(.*)/i) {
update request {
Stripped-User-Name := %{1}
}
}
#HOST LOGIN (HOST/COMPUTERNAME.DOMAIN.EDU)
elsif (User-Name =~ /host\/([a-z0-9\-]*)[\.]{1}DOMAIN[\.]{1}EDU/i) {
update request {
Stripped-User-Name := %{1}$
}
}
#PDA LOGIN ([EMAIL PROTECTED])
elsif (User-Name =~ /([A-Z0-9\-\.]*)@/i) {
update request {
Stripped-User-Name := %{1}
}
}
#GIVE ONE LAST TRY
elsif (User-Name =~ /(.*)/i) {
update request {
Stripped-User-Name := %{1}
}
}
Can this be rewritten in a Switch statement like so..
Switch User-Name {
Case (/REGULAR EXPRESSION/i) {
}
Case (/REGULAR EXPRESSION2/i {
}
}
I didn't see anything in the unlang manual (or wasn't understanding it
correctly) so I didn't try it. But if it's not, I think it would be nice to
have.
--
View this message in context:
http://www.nabble.com/User-Name-attribute-being-evaluated-as-regular-expressiontp16850734p16985248.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User-Name attribute being evaluated as regular expression???
Hello,
I have an issue and haven't been able to find any online help. I thought
I had freeradius working correctly but discovered yesterday that if a user's
name starts with 'r' then they can't login. I setup an unlang if statement
(in the default sites available) to handle whether the login is a computer,
user, or pda request (I'm assuming this is the best way to do it). The
statement copies the User-Name attribute over to a Stripped-User-Name
attribute and manipulates the Stripped-User-Name as necessary. Normally when
a user logs in it's in the format: DOMAIN\first.lastname. I created some
attr_rewrite modules to strip the domain and period out of the username.
It was working fine, but I discovered if Randy Hall logs in (User-Name =
DOMAIN\randy.hall); Stripped-User-Name becomes:
DOMAIN andy halll (domain is not removed, the r in his name disappears and
the last letter seems to be doubled (I tried this with another user and it
removed the r from his name and doubled the 's' at the end of his name as
well).
So what is going on exactly? I'm not an expert but it seems like the
attribute is being evaluated as a regular expression??? I commented out all
the attr_rewrite modules except for the one that copies the user-name over
to stripped-user-name and noticed the stripped-user-name was still incorrect
in my ldap search.
.attr_rewrite section in RADIUSD.CONF.
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = ^(host/.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = ^(.*[\\/]+)
replacewith =
max_matches = 1
}
attr_rewrite remove-domain {
attribute = Stripped-User-Name
new_attribute = no
searchfor = \.DOMAIN\.EDU
searchin = packet
replacewith =
max_matches = 1
}
attr_rewrite pda-fix {
attribute = Stripped-User-Name
new_attribute = no
searchfor = @DOMAIN
searchin = packet
replacewith =
max_matches = 1
}
attr_rewrite strip-period {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = [.]
replacewith =
max_matches = 1
}
.If statement in default under sites-available.
#Host Login
if (User-Name =~ /^(host\/.*)/i) {
copy.user-name
strip-realm-name
remove-domain
}
#User Login
elsif (User-Name =~ /^(DOMAIN\\.*)/i) {
copy.user-name
strip-realm-name
strip-period
}
#PDA Login
elsif (User-Name =~ /(@DOMAIN.EDU)/i) {
copy.user-name
remove-domain
strip-period
}
else {
copy.user-name
strip-period
}
.OUTPUT.
Waking up in 3.9 seconds.
User-Name = DOMAIN\\randy.hall
Framed-MTU = 1400
Called-Station-Id = 001a.e210.7420
Calling-Station-Id = 000e.3558.6ea4
Service-Type = Login-User
Message-Authenticator = 0x3ee4bc7ed916ea6dc3bdb3d527346d95
EAP-Message = 0x0202001701474148414e4e415c72616e64792e68616c6c
NAS-Port-Type = Wireless-802.11
NAS-Port = 3649
NAS-IP-Address = 192.168.0.229
NAS-Identifier = Company
+- entering group authorize
++[preprocess] returns ok
expand: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radacct/192.168.0.229/auth-detail-20080424
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radacct/192.168.0.229/auth-detail-20080424
expand: %t - Thu Apr 24 10:18:40 2008
++[auth_log] returns ok
++? if (User-Name =~ /^(host\/.*)/i)
? Evaluating (User-Name =~ /^(host\/.*)/i) - FALSE
++? if (User-Name =~ /^(host\/.*)/i) - FALSE
++? elsif (User-Name =~ /^(DOMAIN\\.*)/i)
? Evaluating (User-Name =~ /^(DOMAIN\\.*)/i) - TRUE
++? elsif (User-Name =~ /^(DOMAIN\\.*)/i) - TRUE
++- entering elsif (User-Name =~ /^(DOMAIN\\.*)/i)
expand: %{User-Name} - DOMAIN\randy.hall
copy.user-name: Added attribute Stripped-User-Name with value
'DOMAIN\randy.hall'
+++[copy.user-name] returns ok
expand: ^(.*[\/]+) - ^(.*[\/]+)
strip-realm-name: Does not match: Stripped-User-Name = DOMAIN andy.halll
+++[strip-realm-name] returns ok
expand: [.] - [.]
expand: -
strip-period: Changed value for attribute Stripped-User-Name from 'DOMAIN
andy.halll' to 'DOMAIN andy halll'
Re: vmps documentation?
Phil Mayers wrote:
server vmps {
... stuff
vmps {
... stuff
mac2vlan.authorize
If (!ok) {
update reply {
VMPS-VLAN-Name = Public
}
}
}
}
If is wrong - it should be if
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Ahhh, your right. Freeradius started right up after I fixed that. All
those english classes ruined my programming skills :) Everything seems to
be working, thanks Phil, Alan for all the help!
--
View this message in context:
http://www.nabble.com/vmps-documentation--tp16315996p16446927.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vmps documentation?
Phil Mayers wrote:
Normally you simply configure the module correctly i.e. prefix the key with
a * and reply items with = as per man rlm_passwd
modules {
passwd mac2vlan {
filename = /etc/raddb/mac2vlan
format = *MyMac:=VMPS-VLAN-Name
hashsize = 100
}
}
...then call that module in your unlang section:
vmps {
... stuff
# now call the passwd module
mac2vlan
}
...however, the vmps section is really a re-named post-auth section,
and the rlm_passwd module does not have a post-auth handler; so you need (I
think) to do this:
vmps {
...stuff
# call the passwd authorize method
mac2vlan.authorize
}
This is not documented AFAICT, but I've seen Alan mention it in a mailing
list post and the code seems to be present in 2.0.3
Ok, that let me get it working. I had to use mac2vlan.authorize instead of
just the module name. Perhaps I should have mentioned I'm running 2.0.1 on
FreeBSD (2.0.3 doesn't seem to be available on the ports collection yet).
I still have one more problem. I want it to call the mac2vlan module and if
the mac address isn't found in the file, assign our public vlan group to the
VMPS-VLAN-Name attribute. So I am trying to get the module return code from
mac2vlan. But when I do the following...
server vmps {
... stuff
vmps {
... stuff
mac2vlan.authorize
If (!ok) {
update reply {
VMPS-VLAN-Name = Public
}
}
}
}
The server refuses to start at all until I comment out the if statement.
Did I forget to read something on module return codes or am I calling it
wrong?
--
View this message in context:
http://www.nabble.com/vmps-documentation--tp16315996p16418725.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vmps documentation?
Ok, that info helped me out but not all the way. I created another virtual
server 'vmps' in the sites available folder and linked the file to
sites-enabled. I got this code off of another post here that uses a sql
db...
vmps {
# the mac address can be in several places...
if (%{VMPS-Ethernet-Frame} =~
/0x(..)(..)(..)(..)(..)(..).*/) {
update request {
MyMac = %{1}:%{2}:%{3}:%{4}:%{5}:%{6}
}
}
else {
update request {
MyMac = %{%{VMPS-Cookie}:-%{VMPS-MAC}}
}
}
# required VMPS reply attributes
update reply {
VMPS-Packet-Type = VMPS-Join-Response
VMPS-Cookie = %{MyMac}
}
# lookup the zone in sql
update reply {
VMPS-VLAN-Name = %{sql:select ... where mac='%{MyMac}'}
}
}
I created a text file with Mac Addresses and Vlan Groups from what
rlm_passwd says but I'm still having trouble understanding how to make the
comparison.
If I do this...
update reply {
VMPS-VLAN-Name = VLAN5
}
then the request gets properly assigned to VLAN 5. But how do I modify this
line to check the text file for the mac to vlan mapping? Nothing I tried
seemed to work. I'm trying to do something like this...
If Mac Address = Mac address in Text File then
VMPS-VLAN-NAME = VLAN Group in Text File
Else
VMPS-VLAN-NAME = Guest Access Group
--
View this message in context:
http://www.nabble.com/vmps-documentation--tp16315996p16396500.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vmps documentation?
Can someone point me to documentation on how to use vmps in freeradius 2? I've googled for documents but only find a few discussions on the topic (mostly from this forum). I get the part on adding the listen section in radiusd.conf so the server listens for vmps requests. However, I'm having trouble understanding the actual coding to do the comparison of the mac address in the request against the mac address list. Also, the one or two examples I have seen seem to use a mysql database to store the mac addresses. Can freeradius use a simple text file to store the mac addresses for comparison or do they need to be stored in a database? -- View this message in context: http://www.nabble.com/vmps-documentation--tp16315996p16315996.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
