Auth by NAS-Identifier using unlang
I was thinking this should be easy, but it's been two weeks and I give up... This is what I want to do: My NAS, (a WiFi AP), has two SSIDs: "staff" and "guests". I want mutual exclusivity. My /etc/raddb/users file contains something like this: abc Cleartext-Password:="xyz" Local-Group="staff" I've created an attribute in my /etc/raddb/dictionary file: ATTRIBUTE Local-Group 3000string In my /etc/raddb/sites-enabled/default file, in the authorize section, I've got this: if ( Local-Group != NAS-Identifier ) { update reply { Reply-Message := "You may not connect to %{NAS-Identifier} AP.\r\n" } reject } My access request looks something like this: (edited for brevity.) User-Name = "abc" NAS-IP-Address = 192.168.8.253 NAS-Port = 0 NAS-Identifier = "guests" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "..." Called-Station-Id = "..." Service-Type = Login-User Framed-MTU = 1100 EAP-Message =... State = ... Aruba-Essid-Name = "test" Aruba-Location-Id = "wifi" Aruba-AP-Group = "Our WiFi" Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) -> FALSE ++? if (Local-Group != NAS-Identifier ) -> FALSE : And it's clear Local-Group is always empty. :-( Some things I've tried: -Moved code to post-auth section instead of authorize. -Different attributes instead of private dictionary. (i.e. Group-Name) -Running an executable, (actually works, but selinux appears to be a problem?) -Changing the test from != to == makes things work as expected, so if the comparison will actually work, I'm good. I'm clearly not understanding something -Joseph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
> > > Running radiusd -X I get: > > : > ++? if (Local-Group != NAS-Identifier ) > (Attribute Local-Group was not found) > ? Evaluating (Local-Group != NAS-Identifier ) -> FALSE > ++? if (Local-Group != NAS-Identifier ) -> FALSE > : > > And it's clear Local-Group is always empty. :-( Yeah you've inserted it into the reply list, and you're looking for it in the request list abc Cleartext-Password:="xyz", Local-Group := 'NAS-Identifier' if (control:Local-Group != 'NAS-Identifier') -Arran Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Hi, >I was thinking this should be easy, but it's been two weeks and I give >up... well, depends how you do itif you do it easy it is easy, no? users file abc Cleartext-Password := "xyz", NAS-Identifier = "staff" Reply-Message "Welcome on-board staff member" dont forget, if this is 802.1X etc then your users wont see the reply-message...so dont rely on it for telling them things! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Changing the Local-Group into the request still makes control:Local-Group empty. abc Cleartext-Password:="xyz", Local-Group:="staff" NAS Sends this: User-Name = "abc" : NAS-Identifier = "resident" if ( control:Local-Group != NAS-Identifier ) { Diagnostic says: ++? if (control:Local-Group != NAS-Identifier ) -> FALSE ("staff" != "resident") should be True, but control:Local-Group is empty. :-( On Mon, Aug 5, 2013 at 4:14 PM, Arran Cudbard-Bell < a.cudba...@freeradius.org> wrote: > > > > > > Running radiusd -X I get: > > > > : > > ++? if (Local-Group != NAS-Identifier ) > > (Attribute Local-Group was not found) > > ? Evaluating (Local-Group != NAS-Identifier ) -> FALSE > > ++? if (Local-Group != NAS-Identifier ) -> FALSE > > : > > > > And it's clear Local-Group is always empty. :-( > > Yeah you've inserted it into the reply list, and you're looking for it in > the request list > > abc Cleartext-Password:="xyz", Local-Group := 'NAS-Identifier' > > if (control:Local-Group != 'NAS-Identifier') > > -Arran > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
> > Diagnostic says: > ++? if (control:Local-Group != NAS-Identifier ) -> FALSE Assuming you're not looking for a literal value 'NAS-Identifier', you want "%{NAS-Identifier}". If this is a new deployment you should use current HEAD revision in Master. Then you can use the debug_attr expansion to look at list state. update request { Tmp-String-0 := "%{debug_attr:control:}" } Also could you please stop posting snippets of debug output and paste the whole thing... Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
The following appears to now work, but I don't understand some things: files if (control:Local-Group != "%{NAS-Identifier}" ) { Why does control:Local-Group not need to be enclosed in "%{ }", but NAS-Identifier does? And why does %{ } content need to be within quotes, when the documentation doesn't say anything about them needing to be in quotes? It's clear I must have a call to "files" prior to this in order to populate the "control" list, right? On Mon, Aug 5, 2013 at 5:03 PM, Arran Cudbard-Bell < a.cudba...@freeradius.org> wrote: > > > > Diagnostic says: > > ++? if (control:Local-Group != NAS-Identifier ) -> FALSE > > Assuming you're not looking for a literal value 'NAS-Identifier', you want > "%{NAS-Identifier}". > > If this is a new deployment you should use current HEAD revision in > Master. Then you can use the debug_attr expansion to look at list state. > > update request { > Tmp-String-0 := "%{debug_attr:control:}" > } > > Also could you please stop posting snippets of debug output and paste the > whole thing... > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 5 Aug 2013, at 22:37, Joseph Perrin wrote: > The following appears to now work, but I don't understand some things: > > files > > if (control:Local-Group != "%{NAS-Identifier}" ) { > > Why does control:Local-Group not need to be enclosed in "%{ }", but > NAS-Identifier does? In 2.x.x bareword left operand is assumed to be an attribute reference. Right bareword operand is assumed to be a number literal, or a member of the set of string values associated with an integer attribute. LHS/RHS operands are not interchangeable in their roles. > And why does %{ } content need to be within quotes It's a string expansion, string expansions only function inside double quotes. This is similar to variable expansion in most scripting languages. > , when the documentation doesn't say anything about them needing to be in > quotes? Man unlang VARIABLES Run-time variables are referenced using the following syntax %{Variable-Name} Note that unlike C, there is no way to declare variables, or to refer to them outside of a string context. All references to variables MUST be contained inside of a double-quoted or back-quoted string." > It's clear I must have a call to "files" prior to this in order to populate > the "control" list, right? Yes. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
Thank you. I now understand. A stock install of freeRadius in Fedora, (i.e. via yum), does not provide a man page for unlang. Had you not helped me, I'd simply not know. On Mon, Aug 5, 2013 at 6:00 PM, Arran Cudbard-Bell < a.cudba...@freeradius.org> wrote: > > On 5 Aug 2013, at 22:37, Joseph Perrin wrote: > > > The following appears to now work, but I don't understand some things: > > > > files > > > > if (control:Local-Group != "%{NAS-Identifier}" ) { > > > > Why does control:Local-Group not need to be enclosed in "%{ }", but > NAS-Identifier does? > > In 2.x.x bareword left operand is assumed to be an attribute reference. > Right bareword operand is assumed to be a number literal, or a member of > the set of string values associated with an integer attribute. > > LHS/RHS operands are not interchangeable in their roles. > > > And why does %{ } content need to be within quotes > > It's a string expansion, string expansions only function inside double > quotes. This is similar to variable expansion in most scripting languages. > > > , when the documentation doesn't say anything about them needing to be > in quotes? > > Man unlang > > VARIABLES > Run-time variables are referenced using the following syntax > > %{Variable-Name} > > Note that unlike C, there is no way to declare variables, or to refer > to them outside of a string > context. All references to variables MUST be contained inside > of a double-quoted or back-quoted > string." > > > It's clear I must have a call to "files" prior to this in order to > populate the "control" list, right? > > Yes. > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/05/2013 08:49 PM, Joseph Perrin wrote: > Thank you. I now understand. > > A stock install of freeRadius in Fedora, (i.e. via yum), does not > provide a man page for unlang. Had you not helped me, I'd simply not know. Nonsense, the freeradius rpm installs the unlang man page. Please provide the exact installed rpm if you think otherwise. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/06/2013 02:31 AM, Alan Buxey wrote: > I assume that's the freeradius2 package rather than freeradius as 1.x > doesn't have unlang The OP said Fedora. Fedora has never had a freeradius2 package (only ever existed in RHEL 5.x). Fedora has had 2.x for many years. So either the OP is using an extremely old version, doesn't know what OS they're on, or is trying to blame the package for a failure to read the doc. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html