Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze: Maja Wolniewicz wrote: According to RFC4372 CUI attribute in request can include a single NUL character, then your test if (%{Chargeable-User-Identifier}) { update reply { Chargeable-User-Identifier = } } evaluates to false. I've fixed this in CVS head (2.0.1-pre), added better type-checking, and removed the requirement to always convert everything to strings: if (Chargeable-User-Identifier == ) { ... if (Framed-IP-Address 127.0.0.1) { ... ~200 lines of code: big administrator happiness. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I'm now running freeradius from CVS FreeRADIUS Version 2.0.1-pre in post-auth I have: if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) { if (%{Chargeable-User-Identity}) { update reply { Chargeable-User-Identity:=%{reply:[EMAIL PROTECTED] } } else { update reply { Chargeable-User-Identity-=%{reply:Chargeable-User-Identity} } } } and it still doesn't work for me: when Chargeable-User-Identity in request has a nul value, I'm getting: ++? if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) expand: %{FreeRADIUS-Proxied-To} - 127.0.0.1 ? Evaluating (%{FreeRADIUS-Proxied-To} == 127.0.0.1) - TRUE ++? if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) - TRUE ++- entering if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) +++? if (%{Chargeable-User-Identity}) expand: %{Chargeable-User-Identity} - ? Evaluating (%{Chargeable-User-Identity}) - FALSE +++? if (%{Chargeable-User-Identity}) - FALSE +++- entering else else expand: %{reply:Chargeable-User-Identity} - when Chargeable-User-Identity in request is AAA ++? if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) - TRUE ++- entering if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) +++? if (%{Chargeable-User-Identity}) expand: %{Chargeable-User-Identity} - AAA ? Evaluating (%{Chargeable-User-Identity}) - TRUE +++? if (%{Chargeable-User-Identity}) - TRUE +++- entering if (%{Chargeable-User-Identity}) expand: %{reply:[EMAIL PROTECTED] - [EMAIL PROTECTED] Maja -- Maja Gorecka-Wolniewicz [EMAIL PROTECTED] http://www.umk.pl/~mgw PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc Uczelniane Centrum Information Communication InformatyczneTechnology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Maja Wolniewicz wrote: I'm now running freeradius from CVS FreeRADIUS Version 2.0.1-pre in post-auth I have: if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) { if (%{Chargeable-User-Identity}) { Please fix this. Putting double quotes around *everything* was never necessary, and is much less necessary in 2.0.1. See the examples from my original message, and in man unlang. What you want is: if (FreeRADIUS-Proxied-To == 127.0.01) { ... if (Chargeable-User-Identity) { ... update reply { Chargeable-User-Identity:=%{reply:[EMAIL PROTECTED] } Huh? You're updating the reply attribute with the reply attribute? What do you think this is doing? and it still doesn't work for me: Perhaps you could explain why you think it should do *anything* useful. when Chargeable-User-Identity in request has a nul value, I'm getting: ... expand: %{Chargeable-User-Identity} - ? Evaluating (%{Chargeable-User-Identity}) - FALSE Update this to use my example above. See also man unlang: If the word ’foo’ is not a quoted string, then it can be taken as a reference to a named attribute. See Referencing attribute lists, below, for examples of attribute references. The condi‐ tion evaluates to true if the named attribute exists. This *is* documented. I *did* say I had updated the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze: Maja Wolniewicz wrote: I'm now running freeradius from CVS FreeRADIUS Version 2.0.1-pre in post-auth I have: if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) { if (%{Chargeable-User-Identity}) { Please fix this. Putting double quotes around *everything* was never necessary, and is much less necessary in 2.0.1. See the examples from my original message, and in man unlang. Thanks. Now it works. What you want is: if (FreeRADIUS-Proxied-To == 127.0.01) { ... if (Chargeable-User-Identity) { ... update reply { Chargeable-User-Identity:=%{reply:[EMAIL PROTECTED] } Huh? You're updating the reply attribute with the reply attribute? What do you think this is doing? Yes, I want to add current realm to reply attribute Chargeable-User-Identity which comes form LDAP. When Chargeable-User-Identity attribute isn't present in request I want to remove Chargeable-User-Identity from reply. if (Chargeable-User-Identity) { update reply { Chargeable-User-Identity:=%{reply:[EMAIL PROTECTED] } } else { update reply { Chargeable-User-Identity-=%{reply:Chargeable-User-Identity} } } What is wrong in it? Maja and it still doesn't work for me: Perhaps you could explain why you think it should do *anything* useful. when Chargeable-User-Identity in request has a nul value, I'm getting: ... expand: %{Chargeable-User-Identity} - ? Evaluating (%{Chargeable-User-Identity}) - FALSE Update this to use my example above. See also man unlang: If the word 'foo' is not a quoted string, then it can be taken as a reference to a named attribute. See Referencing attribute lists, below, for examples of attribute references. The condi- tion evaluates to true if the named attribute exists. This *is* documented. I *did* say I had updated the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maja Gorecka-Wolniewicz [EMAIL PROTECTED] http://www.umk.pl/~mgw PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc Uczelniane Centrum Information Communication InformatyczneTechnology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Maja Wolniewicz wrote: Thanks. Now it works. That's good to hear. Yes, I want to add current realm to reply attribute Chargeable-User-Identity which comes form LDAP. When Chargeable-User-Identity attribute isn't present in request I want to remove Chargeable-User-Identity from reply. There's a simple answer: don't add something if it's not needed. Adding it and then deleted it is complicated, and prone to errors. Instead, add it *only* if it's necessary. This may involve update the LDAP maps to use a temporary attribute. e.g. map the LDAP data to My-Chargeable-User-Identity, and then map that to Chargeable-User-Identity only when necessary. See raddb/dictionary for how to define local attributes like this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze: Maja Wolniewicz wrote: Thanks. Now it works. That's good to hear. Yes, I want to add current realm to reply attribute Chargeable-User-Identity which comes form LDAP. When Chargeable-User-Identity attribute isn't present in request I want to remove Chargeable-User-Identity from reply. There's a simple answer: don't add something if it's not needed. Adding it and then deleted it is complicated, and prone to errors. Instead, add it *only* if it's necessary. This may involve update the LDAP maps to use a temporary attribute. e.g. map the LDAP data to My-Chargeable-User-Identity, and then map that to Chargeable-User-Identity only when necessary. See raddb/dictionary for how to define local attributes like this. That's right. Thanks for help, Maja Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maja Gorecka-Wolniewicz [EMAIL PROTECTED] http://www.umk.pl/~mgw PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc Uczelniane Centrum Information Communication InformatyczneTechnology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Maja Wolniewicz wrote: According to RFC4372 CUI attribute in request can include a single NUL character, then your test if (%{Chargeable-User-Identifier}) { update reply { Chargeable-User-Identifier = } } evaluates to false. I've fixed this in CVS head (2.0.1-pre), added better type-checking, and removed the requirement to always convert everything to strings: if (Chargeable-User-Identifier == ) { ... if (Framed-IP-Address 127.0.0.1) { ... ~200 lines of code: big administrator happiness. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support for RFC4372 (Chargeable User Identity)
Hello, is that implemented in FR, be it 1.1 or 2.0? According to http://wiki.freeradius.org/RFC it shouldn't be. From my reading of the RFC, defining it by hand in radreply is not considered good enough, because it has a specific logic behind it: (2.1) If a home RADIUS server that supports the CUI attribute receives an Access-Request packet containing a CUI (set to nul or otherwise), it MUST include the CUI attribute in the Access-Accept packet. Otherwise, if the Access-Request packet does not contain a CUI, the home RADIUS server SHOULD NOT include the CUI attribute in the Access-Accept packet. The Access-Request may be sent either in the initial authentication or during re-authentication. So, always sending it via radreply would ignore the SHOULD NOT. Not defining it at all though makes it difficult for the server to maintain a persistent yet anonymous handle. So something like defining it by hand but only including it if it was asked for would be needed. Is that logic present in FR? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Stefan Winter wrote: is that implemented in FR, be it 1.1 or 2.0? According to http://wiki.freeradius.org/RFC it shouldn't be. It's in the dictionaries... From my reading of the RFC, defining it by hand in radreply is not considered good enough, because it has a specific logic behind it: (2.1) If a home RADIUS server that supports the CUI attribute receives an Access-Request packet containing a CUI (set to nul or otherwise), it MUST include the CUI attribute in the Access-Accept packet. That can be done via policy logic in unlang. if (%{Chargeable-User-Identifier}) { update reply { Chargeable-User-Identifier = } } So, always sending it via radreply would ignore the SHOULD NOT. Not defining it at all though makes it difficult for the server to maintain a persistent yet anonymous handle. So something like defining it by hand but only including it if it was asked for would be needed. Is that logic present in FR? Nope. It's 4 lines of text, as above. The only complexity is *creating* it, and mapping it to a known user. This can be done via additional logic, and stored in SQL, for example. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html