unlang Question about evaluating unavailable attributes to FALSE
Hi,
if I'm using an expression like
if (control:VSA1=~/something/ || control:VSA2 =~/something_else/)
{...}
I do get the information(Attribute control:VSA1 was not found) in case
the VSA is not in the control context.
As the condition is '||', I would expect, that FR tries the next option, but
it does not. It sets the hole Expression to FALSE.
If I exchange the Options, it works for me, because VSA2 is always
available.
if (control:VSA2=~/something/ || control:VSA1 =~/something_else/)
{...}
If I preset VSA1, it works too, but will add slightly more load.
Is there a solution for the missing Attribute to be ignored in '||'
conditions i.e. setting it discrete to FALSE, so tht FR is able to evaluate
the rest of the || expression? Would this be advisable?
Thank you.
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang Question about evaluating unavailable attributes to FALSE
Stefan A. wrote:
if I'm using an expression like
if (control:VSA1=~/something/ || control:VSA2 =~/something_else/)
{...}
I do get the information(Attribute control:VSA1 was not found) in case
the VSA is not in the control context.
As the condition is '||', I would expect, that FR tries the next option, but
it does not. It sets the hole Expression to FALSE.
I think that's fixed in the v2.1.x branch in git. The fix will be in
2.1.11.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I want to insert Quintum-h323-remote-address value to radacct table at sql/db/dialup.conf i have made my modifications but i see entries like h323-remote-address=3D10.241.1.202 which is h323-remote-address=10.241.1.202 but I only want 10.241.1.202 (IP address) My entry at details file: Quintum-h323-remote-address = h323-remote-address=10.100.250.150 I want 10.100.250.150 PS: I know there is a hack for quintum but for some reason I am forced not to use it. I have looked at unlang but unable to find a solution for that. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unlang question
i have made my modifications Perhaps if you show us the modifications, someone might be able to suggest what's wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang Question/Problem
Garber, Neal wrote: I’m running FR 2.1.6 with patches to rlm_mschap rlm_eap_mschapv2 to correct a problem with case-sensitive userids. Ok... First, if I didn’t include “updated” after the “update request” actions, then it would return reject. Is that normal (I didn’t call a module in there)? Yes... it goes back to historical behavior, and the default return codes when the authenticate section is being processed. Should the unlang be outside of the “Auth-Type MS-CHAP” block? No. It MUST be inside. Also, Ntlm-Auth-Username is expanded, there’s a “[request] returns reject”. I think this is the source of the problem, but I don’t understand where the reject is coming from. Hm... I'm not sure, either. The mschap module that follows returns OK, but the subsequent eap-comodo module returns reject with no explanation in the debug. Do I need something like: No, that won't help. It looks like the EAP-MSCHAPv2 module is either NOT being run, or something else isn't generating an appropriate EAP packet as a reply. That's why the eap-comodo module returns reject. I suggest starting off with a *simpler* configuration. Much of that unlang could be put into the authorize section, I think. Alan DeKok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang Question/Problem
I haven't had much sleep the past few days and just wanted another set of eyes
on an issue I'm having. Also, I won't be able to do more testing until
tomorrow (user/equip. unavailable) and wanted to try to fix it before then.
I'm running FR 2.1.6 with patches to rlm_mschap rlm_eap_mschapv2 to correct a
problem with case-sensitive userids. Anyway, the patch was working great for
user auth. and failing for machine auth. I used some unlang to get around the
issue. I haven't done a lot with unlang (and yes I read the man page), so I
may be missing something simple. I'm doing 802.1x authentication from Windows
supplicant with PEAP/MS-CHAPv2. Here's the authenticate section of my
inner-tunnel server:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {
update request {
Ntlm-Auth-Username = %{1}$
}
updated
}
else {
update request {
Ntlm-Auth-Username = %{User-Name}
}
updated
}
mschap-inner
}
Auth-Type LDAP {
ldap
}
eap-internal
eap-comodo
}
First, if I didn't include updated after the update request actions, then
it would return reject. Is that normal (I didn't call a module in there)?
Should the unlang be outside of the Auth-Type MS-CHAP block? Also,
Ntlm-Auth-Username is expanded, there's a [request] returns reject. I think
this is the source of the problem, but I don't understand where the reject is
coming from. The mschap module that follows returns OK, but the subsequent
eap-comodo module returns reject with no explanation in the debug. Do I need
something like:
eap-comodo {
ok = return
}
Here's the relevant debug output:
Tue Aug 18 15:41:15 2009 : Info: Found Auth-Type = eap-comodo
Tue Aug 18 15:41:15 2009 : Info: +- entering group authenticate {...}
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Request found, released from the
list
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] EAP/mschapv2
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] processing type mschapv2
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +- entering group MS-CHAP {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~
/host\/(.*)\.energyeast\.net/i)
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ? Evaluating (User-Name =~
/host\/(.*)\.energyeast\.net/i) - TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~
/host\/(.*)\.energyeast\.net/i) - TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++- entering if (User-Name =~
/host\/(.*)\.energyeast\.net/i) {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] expand: %{1}$ - US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +++[request] returns reject
Tue Aug 18 15:41:15 2009 : Info: +++[updated] returns updated
Tue Aug 18 15:41:15 2009 : Info: ++- if (User-Name =~
/host\/(.*)\.energyeast\.net/i) returns updated
Tue Aug 18 15:41:15 2009 : Info: ++ ... skipping else for request 124:
Preceding if was taken
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password
configured. Cannot create LM-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password
configured. Cannot create NT-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name
(host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap:
mschap_authenticate: Creating challenge hash with username:
host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Told to do MS-CHAPv2 for
host/US62695C.energyeast.net with NT-Password
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No trailing :- after variable
at %{Ntlm-Auth-UserName:-None}}
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] WARNING: Deprecated conditional
expansion :-. See man unlang for details
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--username=%{%{Ntlm-Auth-UserName:-None}} - --username=US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] mschap2: d1
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name
(host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_xlat:
Creating challenge hash with username: host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--challenge=%{mschap:Challenge:-00} - --challenge=943b358133b5bcac
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--nt-response=%{mschap:NT-Response:-00} -
--nt-response=121180cc778e59746acb8c12aa6bb9ab7ab2099604c750eb
Re: unlang question
I do not want visitors to be able to get onto the original service, and I
do not want normal users to get onto the visitor service.
My thoughts are to set up a new virtual server and add an 'if' statement
to look for the visitor user names, and reject or allow as necessary.
something like this in the new virtual server
if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }
and the inverse for the old service.
if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }
Is this syntax correct ? and where do I put it?
What about the service? You probably want:
if( Service-Type == whatever Stripped-User-Name !=
/visitor[0-9]?[0-9]/i ) {
reject
}
That goes in authorize section.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
Hi,
I have freeRADIUS 2.0.5 authenticating against LDAP via eap and this has
been working perfectly since last year.
Now a I have a new requirement to authenticate another set of users in the
same LDAP tree onto a different service.
These users will be visitors to our site and will have the user names
Visitor1 ... Visitor(nn)
I do not want visitors to be able to get onto the original service, and I
do not want normal users to get onto the visitor service.
My thoughts are to set up a new virtual server and add an 'if' statement
to look for the visitor user names, and reject or allow as necessary.
something like this in the new virtual server
if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }
and the inverse for the old service.
if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }
Is this syntax correct ? and where do I put it?
Thanks for your time ...regards,
Bruce Richardson
Please consider the environment - do you really need to print this email?
This e-mail and any attachments are confidential and solely for the use of the
intended recipient. They may contain material protected by legal professional
or other privilege. If you receive it in error, please delete it from your
system, make no copies of it, do not disclose its contents to any third party
or use it for your own or any other person's benefit. Please advise the sender
of its receipt as soon as possible. Although this email and its attachments are
believed to be free of any virus or other defect, it is the responsibility of
the recipient to ensure that they are virus free and no responsibility is
accepted by the company for any loss or damage arising from receipt or use
thereof. Any opinions expressed that do not relate to the official business of
the company are those of the author, not the United Biscuits group of companies.
United Biscuits (UK) Limited Registered in England number 2506007 Registered
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
On 20/3/09 12:25, t...@kalik.net wrote:
I do not want visitors to be able to get onto the original service, and I
do not want normal users to get onto the visitor service.
My thoughts are to set up a new virtual server and add an 'if' statement
to look for the visitor user names, and reject or allow as necessary.
something like this in the new virtual server
if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }
and the inverse for the old service.
if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }
Is this syntax correct ? and where do I put it?
What about the service? You probably want:
if((%{request:Service-Type} == 'whatever')
(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i)) {
reject
}
I don't think naked attribute names were supported in 2.0.5..
That goes in authorize section.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
if((%{request:Service-Type} == 'whatever')
(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i)) {
reject
}
I don't think naked attribute names were supported in 2.0.5..
Thanks Ivan and Arran , in fact there is only one Service-Type (Login-User
).
so I changed my authorize section to ...
authorize {
#
preprocess
prefix
eap {
ok = return
}
ldap
# Just the Visitors please !!
if(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i) {reject}
expiration
logintime
}
and now radiusd will not start ..
/usr/local/etc/raddb/sites-enabled/all[182]: EOF reached without closing
brace for section server starting at line 115
Errors reading /usr/local/etc/raddb/radiusd.conf
I've also tried Ivan's version with the same results.
Commenting out the 'if' statement fixes the issue, and I can't see any
missing braces.
Am I putting it in the wrong place, or is the syntax wrong ?
Bruce
Please consider the environment - do you really need to print this email?
This e-mail and any attachments are confidential and solely for the use of the
intended recipient. They may contain material protected by legal professional
or other privilege. If you receive it in error, please delete it from your
system, make no copies of it, do not disclose its contents to any third party
or use it for your own or any other person's benefit. Please advise the sender
of its receipt as soon as possible. Although this email and its attachments are
believed to be free of any virus or other defect, it is the responsibility of
the recipient to ensure that they are virus free and no responsibility is
accepted by the company for any loss or damage arising from receipt or use
thereof. Any opinions expressed that do not relate to the official business of
the company are those of the author, not the United Biscuits group of companies.
United Biscuits (UK) Limited Registered in England number 2506007 Registered
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
if((%{request:Service-Type} == 'whatever')
(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i)) {
reject
}
# Just the Visitors please !!
if(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i) {reject}
Don't open and close brackets on the same line. Have a look at Arran's
statement.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Don't open and close brackets on the same line. Have a look at Arran's
statement.
Ok I tried this ...
if(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i) {
reject
}
and got this ...
/usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition at:
%{request:Stripped-User-Name} !~
any ideas ?
Bruce
Please consider the environment - do you really need to print this email?
This e-mail and any attachments are confidential and solely for the use of the
intended recipient. They may contain material protected by legal professional
or other privilege. If you receive it in error, please delete it from your
system, make no copies of it, do not disclose its contents to any third party
or use it for your own or any other person's benefit. Please advise the sender
of its receipt as soon as possible. Although this email and its attachments are
believed to be free of any virus or other defect, it is the responsibility of
the recipient to ensure that they are virus free and no responsibility is
accepted by the company for any loss or damage arising from receipt or use
thereof. Any opinions expressed that do not relate to the official business of
the company are those of the author, not the United Biscuits group of companies.
United Biscuits (UK) Limited Registered in England number 2506007 Registered
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
bruce_m_richard...@biscuits.com wrote:
if(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i) {
reject
}
and got this ...
/usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition
at: %{request:Stripped-User-Name} !~
any ideas ?
$ man unlang
Everything following the if statement MUST be all on one line of text.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
$ man unlang
Everything following the if statement MUST be all on one line of
text.
Alan DeKok.
-
Ok thanks, I don't think that is clear on
http://freeradius.org/radiusd/man/unlang.html .
I now have ...
if(%{request:Stripped-User-Name} !~
/visitor[0-9]?[0-9]/i) {
reject
}
and radiusd will start now.
Thanks to all
Bruce
Please consider the environment - do you really need to print this email?
This e-mail and any attachments are confidential and solely for the use of the
intended recipient. They may contain material protected by legal professional
or other privilege. If you receive it in error, please delete it from your
system, make no copies of it, do not disclose its contents to any third party
or use it for your own or any other person's benefit. Please advise the sender
of its receipt as soon as possible. Although this email and its attachments are
believed to be free of any virus or other defect, it is the responsibility of
the recipient to ensure that they are virus free and no responsibility is
accepted by the company for any loss or damage arising from receipt or use
thereof. Any opinions expressed that do not relate to the official business of
the company are those of the author, not the United Biscuits group of companies.
United Biscuits (UK) Limited Registered in England number 2506007 Registered
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
Is it possible to parse a string in unlang? For now, home server gives to my radius-proxy such avp: Something-Vendor-Specific = a b and i need to translate it to: Something-Other-Vendor-Specific-1 = a Something-Other-Vendor-Specific-2 = b -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Evgeniy Kozhuhovskiy wrote: Is it possible to parse a string in unlang? Regular expressions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
With unlang I achive the following: Check, whether a special VLAN exists
on a switch and if so, assign it.
This works with the construct below.
if (%{sqlquery:SELECT value from radcheck where ( attribute='SIE-VLAN1'
!= '' and username='%{User-Name}') and value in (select vlan from vlan
where nasname= '%{NAS-IP-Address}' ) }!='') {
update reply {
Tunnel-Private-Group-ID =%{sqlquery:SELECT value from
radcheck where ( attribute='SIE-VLAN1' != '' and
username='%{User-Name}') and value in (select vlan from vlan where
nasname= '%{NAS-IP-Address}' )}
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
}
}
To reduce sql queries I want to avoid the second.
Can I store the result of the first query and use the value to assign
Tunnel-Private-Group-ID?
Thanks
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote:
With unlang I achive the following: Check, whether a special VLAN exists
on a switch and if so, assign it.
...
To reduce sql queries I want to avoid the second.
Can I store the result of the first query and use the value to assign
Tunnel-Private-Group-ID?
Yes. Intermediate variables are possible.
update control {
Tmp-String-0 = %{sqlquery:SELECT value from ...
}
if (control:Tmp-String-0 != ) {
update reply {
Tunnel-Private-Group-ID = %{Tmp-String-0}
...
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Thanks Alan, Looking into it more what I really need to do is take a list of existing usernames and proxy them to an external server, but allow other usernames with the same format to be handled by a virtual server in the FreeRADIUS box. The list can be in a database or a text file or hard-coded into a script, its fairly short. New usernames can be handled as a different realm no problem but some of the existing ones have to be proxied also, we're having to delegate admin of them to a customer. Any thoughts - things to watch out for or that might help? Andy On 23/01/2008, Alan DeKok [EMAIL PROTECTED] wrote: Andy Billington wrote: hi all, am looking at whether to migrate to 2.0 to create a couple of possibilities and was wondering if I can: 1. create a main vritual server 2. use unlang to parse the incoming requests and then based on whether they match a regex, proxy them to different virtual servers or to an external 3rd party RADIUS? Yes. That's one of my test cases. The only issue is that you *will* have to proxy them. i.e. set up a client of 127.0.0.1, set up different listen sections for each virtual server, and set up those listen sections as home servers. The code does not currently have a way to re-direct requests to a virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
hi all, am looking at whether to migrate to 2.0 to create a couple of possibilities and was wondering if I can: 1. create a main vritual server 2. use unlang to parse the incoming requests and then based on whether they match a regex, proxy them to different virtual servers or to an external 3rd party RADIUS? I'm sure Ive missed something in the docs so pls any pointers verey gratefully received ! Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Andy Billington wrote: hi all, am looking at whether to migrate to 2.0 to create a couple of possibilities and was wondering if I can: 1. create a main vritual server 2. use unlang to parse the incoming requests and then based on whether they match a regex, proxy them to different virtual servers or to an external 3rd party RADIUS? Yes. That's one of my test cases. The only issue is that you *will* have to proxy them. i.e. set up a client of 127.0.0.1, set up different listen sections for each virtual server, and set up those listen sections as home servers. The code does not currently have a way to re-direct requests to a virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
In pre2 an update reply works, when I have:
update reply {
...
Tunnel-Private-Group-ID =%{control:Huntgroup-Name}
...
}
Enterasys have a unusual syntax. They need for the same something like:
update reply {
...
filter-id =
Enterasys:version=1:mgmt=su:policy=%{control:Huntgroup-Name}
...
}
This does not work for me.
Trying different quoting do not yet help.
Is this possible at all?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote:
In pre2 an update reply works, when I have:
..
Enterasys have a unusual syntax. They need for the
same something like:
..
Enterasys:version=1:mgmt=su:policy=%{control:Huntgroup-Name}
It's just a double-quoted string, like shell scripts or C. You should
be able to use:
Filter-Id = Enterasys...=\%{...}\
This does not work for me. Trying different quoting do
not yet help.
Is this possible at all?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
Something like
if (%{sqlnastype:SELECT Value from radcheck where UserName =
'%{User-Name}' and otherconditions} == 'bla' )
works,
whereas I have problems
with:
if (%{sqlnastype:SELECT Value from radcheck where UserName =
'%{User-Name}' and other conditions.. is not null )
Am I doing something wrong or is is not null not (yet) implemented?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote:
Something like
if (%{sqlnastype:SELECT Value from radcheck where UserName =
'%{User-Name}' and otherconditions} == 'bla' )
works,
whereas I have problems
with:
if (%{sqlnastype:SELECT Value from radcheck where UserName =
'%{User-Name}' and other conditions.. is not null )
Am I doing something wrong or is is not null not (yet) implemented?
Where does the is not null come from? That looks to be SQL syntax,
which is *not* implemented.
Maybe you mean: %{sql:SELECT ... where .. is not null }
i.e. the is not null appears inside of the %{}, which is inside of
the .
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I am using a recent 2.0.0-pre cvs snapshot.
For 802.1x authentication AD is querried for a valid machine account
and VLAN, which the ldap modules put into the radius-attribute
Huntgroup-Name. The client authenticates via a certificate. Everything
works as expected. Nevertheless someone inspecting the switch logs found:
12277052: .Sep 26 13:33:45.914: RADIUS: Received from id 1645/86
139.25.78.162:1812, *Access-Challenge,* len 1130
12277053: .Sep 26 13:33:45.914: RADIUS: authenticator 41 6D FD 2B B1 E6
81 32 - 92 3A 05 C1 96 B9 A5 E9
12277054: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Private-Group[81] 18
VL-SBS-AD02-0001
*12277055: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Medium-Type [65] 6
00:ALL_802[6]
*12277056: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Type [64] 6
00:VLAN [13]
*12277057: .Sep 26 13:33:45.914: RADIUS: EAP-Message [79] 255
and claimed, the Access-Challenge with Tunnel-Private-Group,
Tunnel-Medium-Type etc. are not RFC compatible.
I can see those values in radiusd -AX, too, but didn't care.
My question is:
Is he right?
If so: How would I have to change the configuration?
In my sites-enabeld/default I have:
...
# ldap1/2 set control:Huntgroup-Name.
redundant {
ldap1
ldap2
}
#
if (%{sqlnastype:SELECT vl_vlan from vlan where vl_vlan
= '%{control:Huntgroup-Name}' and vl_nasname='%{NAS-IP-Address}'} ==
%{control:Huntgroup-Name} ) {
# das vlan gibt es auf dem swicht
update reply {
Tunnel-Private-Group-ID =%{control:Huntgroup-Name}
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
}
}
..
This works as expected.
Sending Access-Challenge of id 135 to 172.31.110.149 port 1645^M
Tunnel-Private-Group-Id:0 = VL-SBS-AD02-0001^M
Tunnel-Medium-Type:0 = IEEE-802^M
Tunnel-Type:0 = VLAN^M
EAP-Message =
0x0104040a0dc01860160301004a0246030146fa71a8d8d8395908fa88327d699ee4477b8e014f81fc6f5aabfabb26dda89a204f927ec5aaa134ac60f488278826fbd8be697e5826f45b2890e527d58ca26a0a00040016030113710b00136d00136a0005f6308205f2308204daa003020102020a136547850002003ae484300d06092a864886f70d01010505003081f6310b300906035504061302444531133011060a0992268993f22c64011916036e657431173015060a0992268993f22c64011916077369656d656e733110300e060355040a13075369656d656e7331453043060355040b133c49737375696e6720434120666f72206d6163^M
EAP-Message =
0x68696e652063657274696669636174657320696e20746865205369656d656e7320414420666f72657374313a3038060355040b1331436f7079726967687420284329205369656d656e73204147203230303320416c6c20726967687473207265736572766564312430220603550403131b5369656d656e732049737375696e6720434120436c617373204144301e170d303730383232323131325a170d303830323138323131325a3025312330210603550403131a64653730313874632e3930312e7369656d656e732e6e657430819f300d06092a864886f70d010101050003818d0030818902818100d420d44e29fdfd018e8ff279b4^M
EAP-Message =
0x04d0421c8612c6cd6ba909bb50feca6a71089e6212ef9ae86a3a0cd12f201b25e62ec7395e1365a8bac4477551fed6c41183e2210a3b524e013f80952f7f7efef179f6b48d1a7e219a8e0e789d561b8472485f7792a6e51514018b40e1f90feb314aff3d7a55baceb56b72af1d1bb04ee8a4a30203010001a38202d4308202d0301d0603551d0e041604143349edcf20cbe55a68d010a8df8878bbce1714e4303306092b060104018237150a04263024300a06082b06010505070302300a06082b06010505070301300a06082b06010505080202300b0603551d0f0404030205a030270603551d250420301e06082b0601050507030206082b06010505^M
EAP-Message =
0x07030106082b06010505080202303c06092b0601040182371507042f302d06252b060104018237150887e4bc2b85a7c80a85d19529a08c6d819ffa1381219eaf36869ee33d020164020103301f0603551d2304183016801453cf2cd0fe413db6c4731640813764d8702909993081e50603551d1f0481dd3081da3081d7a081d4a081d18681ce6c6461703a2f2f2f434e3d5369656d656e7325323049737375696e672532304341253230436c61737325323041442832292c434e3d6d63686d393335612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e6669677572^M
EAP-Message = 0x6174696f6e2c44433d7369656d656e732c44433d6e65^M
Message-Authenticator = 0x^M
State = 0xcf369d304b83244706a446310ed5b92e^M
Finished request 1 state 5^M
Going to the next request^M
The complete output can be found at http://www.wegener-net.de:/freeradius
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote:
... The client authenticates via a certificate. Everything
works as expected. Nevertheless someone inspecting the switch logs found:
...
and claimed, the Access-Challenge with Tunnel-Private-Group,
Tunnel-Medium-Type etc. are not RFC compatible.
Yes.
I can see those values in radiusd -AX, too, but didn't care.
My question is:
Is he right?
If so: How would I have to change the configuration?
Ideally, the attributes in the reply should be sent ONLY on
Access-Accept. i.e. the configuration should NOT update the reply until
it has determined that the user has been authenticated.
This involves moving most of the policy from the authorize section
to the post-auth section.
In my sites-enabeld/default I have:
...
# ldap1/2 set control:Huntgroup-Name.
redundant {
Which section? authorize?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote: The point is, it seems to work only if there is an authorize_check_query and a authorize_reply_query in the sql module. So I have to setup an authorize_reply_query with UserName,Attr Nam, Attr Value, Op, although I am only interested in the answer to the query above, which might be Cisco, Entrasys or something like that. Is there a way to avoid such an authorize_reply_query or even the authorize_check_query? Code changes in rlm_sql. Maybe for 2.1, or 3.x, we can re-factor the code into connect to db, and separately, do something with that data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I want to use the result from a sql query in something like this:
...
switch %{sqlnastype:SELECT nas.type FROM `nas` WHERE
nas.nasname ='%{NAS-IP-Address}'} {
case Cisco {
...
It works, and it is a great feature.
The point is, it seems to work only if there is an
authorize_check_query and a authorize_reply_query in the sql module.
So I have to setup an authorize_reply_query with UserName,Attr Nam,
Attr Value, Op, although I am only interested in the answer to the query
above, which might be Cisco, Entrasys or something like that.
Is there a way to avoid such an authorize_reply_query or even the
authorize_check_query?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
