RE: Rewriting usernames before authenticating
> I used to think that setting "Fall-Through = Yes" achieves exactly that task > without modifying any code. For example, I have an entry > > DEFAULT NAS-IP-Address == w.x.y.z > NAS-Identifier := vpn, > Fall-Through = Yes > > and I believe it _does_ fall-through. I thought that should work also and I tried it, but specifying Fall-Through in hints did not work for me. Unless there is another place in the source code where the hints entries are processed, it was definitely coded to stop looking through the list after processing the first match. If you are sure it works for you, what version of FreeRADIUS are you running? I am on version 1.0.1, although I can't imagine that a Fall-Through capability would have been removed. It only makes sense for it to work. I have alot more source-diving to do before I can figure out how to only fall through if "Fall-Through=Yes" is given in the pair list. The forced fall through for all items was an extremely simple change. Dennis Beach Systems Engineer RR Donnelley, Information Technology (765) 364-4604 - phone (765) 230-6111 - cellular (765) 364-3056 - fax [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting usernames before authenticating
Hi! > After getting this to work I decided that I would like to alter the format > of Called-Station-Id and Calling-Station-Id as well. It did not take long > to see that only the first matching DEFAULT entry in hints is matched. I > accomplished my goal by modifying the rlm_preprocess.c code to force a > Fall-Through of all hints entries (I don't use any other hints). Is there > a more elegant way to use the hints file (or any other mechanism) to modify > (mangle) more than one attribute? I used to think that setting "Fall-Through = Yes" achieves exactly that task without modifying any code. For example, I have an entry DEFAULT NAS-IP-Address == w.x.y.z NAS-Identifier := vpn, Fall-Through = Yes and I believe it _does_ fall-through. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Rewriting usernames before authenticating
> DEFAULT Client-IP-Address == 158.64.1.155,
> User-Name =~ "^([^-]+)-([^-]+)-([^-]+)-([^-]+)-([^-]+)-([^-]+)"
> User-Name := `%{1}%{2}.%{3}%{4}.%{5}%{6}`
This is exactly what I needed:
DEFAULT User-Name =~ "^([^-]+)-([^-]+)-([^-]+)-([^-]+)-([^-]+)-([^-]+)"
User-Name := "%{1}%{2}.%{3}%{4}.%{5}%{6}"
Thank you very much!
> I'm not quite good at writing regex's...
You could have fooled me. Thats a pretty complex regex. I did not realize
regular expressions had evolved so far. I guess I had better dig into some
current documentation. Is this variable-storing feature available in perl?
> Oh, BTW, I believe there is an IOS option...
The Cisco format is the one accepted by a corporate RADIUS server (Cisco
ACS) outside my control through which I proxy unknown requests. It is the
Intermec format that has to be changed.
After getting this to work I decided that I would like to alter the format
of Called-Station-Id and Calling-Station-Id as well. It did not take long
to see that only the first matching DEFAULT entry in hints is matched. I
accomplished my goal by modifying the rlm_preprocess.c code to force a
Fall-Through of all hints entries (I don't use any other hints). Is there a
more elegant way to use the hints file (or any other mechanism) to modify
(mangle) more than one attribute?
Dennis Beach
Systems Engineer
RR Donnelley, Information Technology
(765) 364-4604 - phone
(765) 230-6111 - cellular
(765) 364-3056 - fax
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting usernames before authenticating
Hi,
> INTERMEC sends usernames (MAC
> address) as 00-00-00-00-00-00 and the Cisco sends them like
> ... Can the usernames be rewritten when they are of one format
well, I don't know if there are more elegant ways to do this, but if all else
fails you could set up an entry in the hints file using regular expressions.
I'm not quite good at writing regex's, so the following may be flawed, but it
should at least be similar to
DEFAULT Client-IP-Address == 158.64.1.155,
User-Name =~ "^([^-]+)-([^-]+)-([^-]+)-([^-]+)-([^-]+)-([^-]+)"
User-Name := `%{1}%{2}.%{3}%{4}.%{5}%{6}`
(the first two lines are actually one, broke them for clarity)
The regex evaluation stores the parts between the dashes in six seperate
variables, and the := adds these parts, grouped together two by two and
seperated with a dot. So, effectively, you convert INTERMEC usernames into
Cisco-style.
Oh, BTW, I believe there is an IOS option where you can instruct the device to
use a specific format for its MAC addresses.
Greetings,
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingénieur réseau et système
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] tél.: +352 424409-33
http://www.restena.lu fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewriting usernames before authenticating
I have FreeRADIUS 1.0.1 running successfully with an INTERMEC accesss point. We also have a Cisco access point and would like both to use the same RADIUS server. INTERMEC sends usernames (MAC address) as 00-00-00-00-00-00 and the Cisco sends them like ... Can the usernames be rewritten when they are of one format so each MAC address can be entered just once, or do I have to make two user entries (one for each format) for each MAC address? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
