Re: Question regarding multivalued attributes in control list.

Olivier Beytrison Fri, 02 Sep 2011 07:30:37 -0700

Thanks Arran for those answers,

> No your check will not iterate over every instance of a value.
> 
> In order to do that you'll need to use FreeRADIUS 3.x and use the foreach 
> unlang construct or perl.


hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or
i'll simply fall back to rlm_perl. But not on a friday evening, it will
wait till monday!

> Plus the way you're doing policies is weird. Why don't you just use the 
> policy module (policy.conf)? It'd be way more memory efficient if you're 
> using the same policy multilple times, and you gain the ability to overload 
> module calls...

You're right, i'll move this in the policy file, didn't think about it.

Regards,
Olivier B.

> -Arran
> 
> On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
> 
>> Hello,
>>
>> I'm trying since two week to do some multi-valued attribute checking on
>> my radius infrastructure.
>>
>> I've been looking to checkval, using the "users" file and such but with
>> no luck.
>>
>> I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
>> authentication is made against an Novell eDirectory ldap server.
>>
>> I'm fetching a multi-valued attribute from the ldap into the control
>> list, and based on its content, I set the correct
>> Airespace-Interface-Name value.
>>
>> At the beginning I was using unlang to match the value, and it works
>> perfectly since 90% of the people only have one attribute. But some
>> people have multiple attributes.
>>
>> So far, that's what I've been using :
>>
>> In virtual server, at the end of authorize {}
>>
>>          if (NAS-IP-Address =~ /160\.98\.156\..*/) {
>>                  $INCLUDE ${confdir}/secure-hefr.policy
>>
>>          }
>>
>> secure-hefr.policy content :
>>
>>
>> if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
>>        update reply {
>>                Airespace-Interface-Name := "wifi_eia-etu"
>>        }
>> }
>> elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
>>        update reply {
>>                Airespace-Interface-Name := "wifi_eia-col"
>>        }
>> }
>> elsif {
>> }
>> [ ... ]
>>
>> Some debug from a user who is multi-valued :
>>
>> server eduroam-inner-tunnel-peap {
>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
>> +- entering group authorize {...}
>> ++[mschap] returns noop
>> [suffix] Looking up realm "hefr.ch" for User-Name = "didier.perr...@hefr.ch"
>> [suffix] Found realm "hefr.ch"
>> [suffix] Adding Realm = "hefr.ch"
>> [suffix] Authentication realm is LOCAL.
>> ++[suffix] returns ok
>> ++[control] returns ok
>> [eap] EAP packet type response id 11 length 6
>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>> ++[eap] returns updated
>> [auth_log]      expand:
>> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>> /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
>> [auth_log]
>> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>> expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
>> [auth_log]      expand: %t -> Fri Sep  2 15:45:08 2011
>> ++[auth_log] returns ok
>> [linelog]       expand: %{Packet-Type} -> Access-Request
>> [linelog]       expand: %{%{Packet-Type}:-format} -> Access-Request
>> [linelog]       expand: /var/log/freeradius/linelog ->
>> /var/log/freeradius/linelog
>> [linelog]       expand: Requested access: %{User-Name} -> Requested
>> access: didier.perr...@hefr.ch
>> ++[linelog] returns ok
>> ++? if (User-Name =~ /(.*)@.*hefr.ch$/)
>> ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE
>> ++? if (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE
>> ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
>>        expand: %{1} -> didier.perroud
>> +++[request] returns ok
>> ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
>> ++[files] returns noop
>> [ldap] performing user authorization for didier.perroud
>> [ldap]  expand: (uid=%{Stripped-User-Name}) -> (uid=didier.perroud)
>> [ldap]  expand: ou=courant,ou=people,o=hefr -> ou=courant,ou=people,o=hefr
>>  [ldap] ldap_get_conn: Checking Id: 0
>>  [ldap] ldap_get_conn: Got Id: 0
>>  [ldap] performing search in ou=courant,ou=people,o=hefr, with filter
>> (uid=didier.perroud)
>> [ldap] Added the eDirectory password ******* in check items as
>> Cleartext-Password
>> [ldap] No default NMAS login sequence
>> [ldap] looking for check items in directory...
>>  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY ==
>> "RORG-HEFR-EIFR-TICO-TLCO-$-RSM"
>>  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RORG-MASO-$-RCA"
>>  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY ==
>> "RACA-TICO-MSEI-MTIC-$-RCA"
>> [ldap] looking for reply items in directory...
>>  [ldap] hessoRoleMemberKey -> Class =
>> 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
>>  [ldap] hessoRoleMemberKey -> Class = 0x524f52472d4d41534f2d242d524341
>>  [ldap] hessoRoleMemberKey -> Class =
>> 0x524143412d5449434f2d4d5345492d4d5449432d242d524341
>> [ldap] user didier.perroud authorized to use remote access
>>  [ldap] ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> [pap] WARNING: Auth-Type already set.  Not setting to PAP
>> ++[pap] returns noop
>> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
>> ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE
>> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE
>> ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...}
>> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
>> ? Evaluating (control:HESSO-MEMBER-KEY =~
>> /RORG-HEFR-EIFR-INTR-INFO-.-RSM/) -> FALSE
>> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
>> -> FALSE
>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ )
>> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) -> FALSE
>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) -> FALSE
>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ )
>> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) -> TRUE
>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) -> TRUE
>> +++- entering elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/
>> ) {...}
>>
>> We can see that it didn't match control:HESSO-MEMBER-KEY =~
>> /RORG-MASO.*RCA$/ while it has the correct value in the control list.
>>
>> How can I match this multi-valued attribute ?
>>
>> Regards,
>> Olivier B.
>>
>> -- 
>>
>> Olivier Beytrison
>> Network & Security Engineer, HES-SO Fribourg
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
> 
> Arran Cudbard-Bell
> a.cudba...@freeradius.org
> 
> RADIUS - Half the complexity of Diameter
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 

-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question regarding multivalued attributes in control list.

Reply via email to