Re: unlang Question about evaluating unavailable attributes to FALSE
Stefan A. wrote: > if I'm using an expression like > > if (control:VSA1=~/something/ || control:VSA2 =~/something_else/) > {...} > > I do get the information"(Attribute control:VSA1 was not found)" in case > the VSA is not in the control context. > As the condition is '||', I would expect, that FR tries the next option, but > it does not. It sets the hole Expression to FALSE. I think that's fixed in the v2.1.x branch in git. The fix will be in 2.1.11. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang Question about evaluating unavailable attributes to FALSE
Hi, if I'm using an expression like if (control:VSA1=~/something/ || control:VSA2 =~/something_else/) {...} I do get the information"(Attribute control:VSA1 was not found)" in case the VSA is not in the control context. As the condition is '||', I would expect, that FR tries the next option, but it does not. It sets the hole Expression to FALSE. If I exchange the Options, it works for me, because VSA2 is always available. if (control:VSA2=~/something/ || control:VSA1 =~/something_else/) {...} If I preset VSA1, it works too, but will add slightly more load. Is there a solution for the missing Attribute to be ignored in '||' conditions i.e. setting it discrete to FALSE, so tht FR is able to evaluate the rest of the || expression? Would this be advisable? Thank you. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unlang question
> i have made my modifications Perhaps if you show us the modifications, someone might be able to suggest what's wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I want to insert Quintum-h323-remote-address value to radacct table at sql//dialup.conf i have made my modifications but i see entries like h323-remote-address=3D10.241.1.202 which is h323-remote-address=10.241.1.202 but I only want 10.241.1.202 (IP address) My entry at details file: Quintum-h323-remote-address = "h323-remote-address=10.100.250.150" I want 10.100.250.150 PS: I know there is a hack for quintum but for some reason I am forced not to use it. I have looked at unlang but unable to find a solution for that. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang Question/Problem
Garber, Neal wrote: > I’m running FR 2.1.6 with patches to rlm_mschap & rlm_eap_mschapv2 to > correct a problem with case-sensitive userids. Ok... > First, if I didn’t include “updated” after the “update request” actions, > then it would return reject. Is that normal (I didn’t call a module in > there)? Yes... it goes back to historical behavior, and the default return codes when the "authenticate" section is being processed. > Should the unlang be outside of the “Auth-Type MS-CHAP” block? No. It MUST be inside. > Also, Ntlm-Auth-Username is expanded, there’s a “[request] returns > reject”. I think this is the source of the problem, but I don’t > understand where the reject is coming from. Hm... I'm not sure, either. > The mschap module that > follows returns OK, but the subsequent eap-comodo module returns reject > with no explanation in the debug. Do I need something like: No, that won't help. It looks like the EAP-MSCHAPv2 module is either NOT being run, or something else isn't generating an appropriate EAP packet as a reply. That's why the eap-comodo module returns reject. I suggest starting off with a *simpler* configuration. Much of that "unlang" could be put into the "authorize" section, I think. Alan DeKok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang Question/Problem
I haven't had much sleep the past few days and just wanted another set of eyes on an issue I'm having. Also, I won't be able to do more testing until tomorrow (user/equip. unavailable) and wanted to try to fix it before then. I'm running FR 2.1.6 with patches to rlm_mschap & rlm_eap_mschapv2 to correct a problem with case-sensitive userids. Anyway, the patch was working great for user auth. and failing for machine auth. I used some unlang to get around the issue. I haven't done a lot with unlang (and yes I read the man page), so I may be missing something simple. I'm doing 802.1x authentication from Windows supplicant with PEAP/MS-CHAPv2. Here's the authenticate section of my inner-tunnel server: authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { if (User-Name =~ /host\/(.*)\.energyeast\.net/i) { update request { Ntlm-Auth-Username = "%{1}$" } updated } else { update request { Ntlm-Auth-Username = "%{User-Name}" } updated } mschap-inner } Auth-Type LDAP { ldap } eap-internal eap-comodo } First, if I didn't include "updated" after the "update request" actions, then it would return reject. Is that normal (I didn't call a module in there)? Should the unlang be outside of the "Auth-Type MS-CHAP" block? Also, Ntlm-Auth-Username is expanded, there's a "[request] returns reject". I think this is the source of the problem, but I don't understand where the reject is coming from. The mschap module that follows returns OK, but the subsequent eap-comodo module returns reject with no explanation in the debug. Do I need something like: eap-comodo { ok = return } Here's the relevant debug output: Tue Aug 18 15:41:15 2009 : Info: Found Auth-Type = eap-comodo Tue Aug 18 15:41:15 2009 : Info: +- entering group authenticate {...} Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Request found, released from the list Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] EAP/mschapv2 Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] processing type mschapv2 Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +- entering group MS-CHAP {...} Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~ /host\/(.*)\.energyeast\.net/i) Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ? Evaluating (User-Name =~ /host\/(.*)\.energyeast\.net/i) -> TRUE Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~ /host\/(.*)\.energyeast\.net/i) -> TRUE Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++- entering if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {...} Tue Aug 18 15:41:15 2009 : Info: [mschapv2] expand: %{1}$ -> US62695C$ Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +++[request] returns reject Tue Aug 18 15:41:15 2009 : Info: +++[updated] returns updated Tue Aug 18 15:41:15 2009 : Info: ++- if (User-Name =~ /host\/(.*)\.energyeast\.net/i) returns updated Tue Aug 18 15:41:15 2009 : Info: ++ ... skipping else for request 124: Preceding "if" was taken Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password configured. Cannot create LM-Password. Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password configured. Cannot create NT-Password. Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name (host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_authenticate: Creating challenge hash with username: host/US62695C.energyeast.net Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Told to do MS-CHAPv2 for host/US62695C.energyeast.net with NT-Password Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No trailing :- after variable at %{Ntlm-Auth-UserName:-None}} Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --username=%{%{Ntlm-Auth-UserName:-None}} -> --username=US62695C$ Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] mschap2: d1 Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name (host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_xlat: Creating challenge hash with username: host/US62695C.energyeast.net Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=943b358133b5bcac Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=121180cc778e59746acb8c12aa6
Re: unlang question
> $ man unlang > > Everything following the "if" statement MUST be all on one line of text. > > Alan DeKok. > - Ok thanks, I don't think that is clear on http://freeradius.org/radiusd/man/unlang.html . I now have ... if("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i) { reject } and radiusd will start now. Thanks to all Bruce Please consider the environment - do you really need to print this email? This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
bruce_m_richard...@biscuits.com wrote: > if("%{request:Stripped-User-Name}" !~ > /visitor[0-9]?[0-9]/i) { > reject > } > > and got this ... > > /usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition > at: "%{request:Stripped-User-Name}" !~ > > any ideas ? $ man unlang Everything following the "if" statement MUST be all on one line of text. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
> Don't open and close brackets on the same line. Have a look at Arran's > statement. Ok I tried this ... if("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i) { reject } and got this ... /usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition at: "%{request:Stripped-User-Name}" !~ any ideas ? Bruce Please consider the environment - do you really need to print this email? This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
>> if(("%{request:Service-Type}" == 'whatever') && >> ("%{request:Stripped-User-Name}" !~ >> /visitor[0-9]?[0-9]/i)) { >>reject >> } > ># Just the Visitors please !! >if("%{request:Stripped-User-Name}" !~ >/visitor[0-9]?[0-9]/i) {reject} Don't open and close brackets on the same line. Have a look at Arran's statement. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
> if(("%{request:Service-Type}" == 'whatever') && > ("%{request:Stripped-User-Name}" !~ > /visitor[0-9]?[0-9]/i)) { >reject > } > I don't think naked attribute names were supported in 2.0.5.. Thanks Ivan and Arran , in fact there is only one Service-Type (Login-User ). so I changed my authorize section to ... authorize { # preprocess prefix eap { ok = return } ldap # Just the Visitors please !! if("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i) {reject} expiration logintime } and now radiusd will not start .. /usr/local/etc/raddb/sites-enabled/all[182]: EOF reached without closing brace for section server starting at line 115 Errors reading /usr/local/etc/raddb/radiusd.conf I've also tried Ivan's version with the same results. Commenting out the 'if' statement fixes the issue, and I can't see any missing braces. Am I putting it in the wrong place, or is the syntax wrong ? Bruce Please consider the environment - do you really need to print this email? This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
On 20/3/09 12:25, t...@kalik.net wrote: I do not want visitors to be able to get onto the original service, and I do not want normal users to get onto the visitor service. My thoughts are to set up a new virtual server and add an 'if' statement to look for the visitor user names, and reject or allow as necessary. something like this in the new virtual server if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } and the inverse for the old service. if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject } Is this syntax correct ? and where do I put it? What about the service? You probably want: if(("%{request:Service-Type}" == 'whatever') && ("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i)) { reject } I don't think naked attribute names were supported in 2.0.5.. That goes in authorize section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
>I do not want visitors to be able to get onto the original service, and I >do not want normal users to get onto the visitor service. > >My thoughts are to set up a new virtual server and add an 'if' statement >to look for the visitor user names, and reject or allow as necessary. > >something like this in the new virtual server > >if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } > >and the inverse for the old service. > >if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject } > >Is this syntax correct ? and where do I put it? What about the service? You probably want: if( Service-Type == whatever && Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } That goes in authorize section. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
Hi, I have freeRADIUS 2.0.5 authenticating against LDAP via eap and this has been working perfectly since last year. Now a I have a new requirement to authenticate another set of users in the same LDAP tree onto a different service. These users will be visitors to our site and will have the user names Visitor1 ... Visitor(nn) I do not want visitors to be able to get onto the original service, and I do not want normal users to get onto the visitor service. My thoughts are to set up a new virtual server and add an 'if' statement to look for the visitor user names, and reject or allow as necessary. something like this in the new virtual server if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } and the inverse for the old service. if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject } Is this syntax correct ? and where do I put it? Thanks for your time ...regards, Bruce Richardson Please consider the environment - do you really need to print this email? This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Evgeniy Kozhuhovskiy wrote: > Is it possible to parse a string in unlang? Regular expressions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
Is it possible to parse a string in unlang? For now, home server gives to my radius-proxy such avp: Something-Vendor-Specific = "a b" and i need to translate it to: Something-Other-Vendor-Specific-1 = "a" Something-Other-Vendor-Specific-2 = "b" -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote: > With unlang I achive the following: Check, whether a special VLAN exists > on a switch and if so, assign it. ... > To reduce sql queries I want to avoid the second. > Can I store the result of the first query and use the value to assign > Tunnel-Private-Group-ID? Yes. Intermediate variables are possible. update control { Tmp-String-0 = "%{sqlquery:SELECT value from ... } if (control:Tmp-String-0 != "") { update reply { Tunnel-Private-Group-ID = "%{Tmp-String-0}" ... } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
With unlang I achive the following: Check, whether a special VLAN exists on a switch and if so, assign it. This works with the construct below. if ("%{sqlquery:SELECT value from radcheck where ( attribute='SIE-VLAN1' != '' and username='%{User-Name}') and value in (select vlan from vlan where nasname= '%{NAS-IP-Address}' ) }"!='') { update reply { Tunnel-Private-Group-ID ="%{sqlquery:SELECT value from radcheck where ( attribute='SIE-VLAN1' != '' and username='%{User-Name}') and value in (select vlan from vlan where nasname= '%{NAS-IP-Address}' )}" Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN } } To reduce sql queries I want to avoid the second. Can I store the result of the first query and use the value to assign Tunnel-Private-Group-ID? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Andy Billington wrote: > The list can be in a database or a text file or hard-coded into a > script, its fairly short. New usernames can be handled as a different > realm no problem but some of the existing ones have to be proxied > also, we're having to delegate admin of them to a customer. If the list is short, use rlm_passwd to put them into a local group, and proxy users who aren't in that group. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Thanks Alan, Looking into it more what I really need to do is take a list of existing usernames and proxy them to an external server, but allow other usernames with the same format to be handled by a virtual server in the FreeRADIUS box. The list can be in a database or a text file or hard-coded into a script, its fairly short. New usernames can be handled as a different realm no problem but some of the existing ones have to be proxied also, we're having to delegate admin of them to a customer. Any thoughts - things to watch out for or that might help? Andy On 23/01/2008, Alan DeKok <[EMAIL PROTECTED]> wrote: > Andy Billington wrote: > > hi all, > > am looking at whether to migrate to 2.0 to create a couple of > > possibilities and was wondering if I can: > > 1. create a main vritual server > > 2. use unlang to parse the incoming requests and then based on whether > > they match a regex, proxy them to different virtual servers or to an > > external 3rd party RADIUS? > > Yes. That's one of my test cases. > > The only issue is that you *will* have to proxy them. i.e. set up a > client of 127.0.0.1, set up different "listen" sections for each virtual > server, and set up those listen sections as "home servers". The code > does not currently have a way to re-direct requests to a virtual server. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Andy Billington wrote: > hi all, > am looking at whether to migrate to 2.0 to create a couple of > possibilities and was wondering if I can: > 1. create a main vritual server > 2. use unlang to parse the incoming requests and then based on whether > they match a regex, proxy them to different virtual servers or to an > external 3rd party RADIUS? Yes. That's one of my test cases. The only issue is that you *will* have to proxy them. i.e. set up a client of 127.0.0.1, set up different "listen" sections for each virtual server, and set up those listen sections as "home servers". The code does not currently have a way to re-direct requests to a virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
hi all, am looking at whether to migrate to 2.0 to create a couple of possibilities and was wondering if I can: 1. create a main vritual server 2. use unlang to parse the incoming requests and then based on whether they match a regex, proxy them to different virtual servers or to an external 3rd party RADIUS? I'm sure Ive missed something in the docs so pls any pointers verey gratefully received ! Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote: > In pre2 an update reply works, when I have: .. > Enterasys have a unusual syntax. They need for the > same something like: .. > Enterasys:version=1:mgmt=su:policy="%{control:Huntgroup-Name}" It's just a double-quoted string, like shell scripts or C. You should be able to use: Filter-Id = "Enterasys...=\"%{...}\"" >This does not work for me. Trying different quoting do > not yet help. > Is this possible at all? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
In pre2 an update reply works, when I have: update reply { ... Tunnel-Private-Group-ID ="%{control:Huntgroup-Name}" ... } Enterasys have a unusual syntax. They need for the same something like: update reply { ... filter-id = Enterasys:version=1:mgmt=su:policy="%{control:Huntgroup-Name}" ... } This does not work for me. Trying different quoting do not yet help. Is this possible at all? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote: > Something like > if ("%{sqlnastype:SELECT Value from radcheck where UserName = > '%{User-Name}' and otherconditions}" == 'bla' ) > works, > whereas I have problems > with: > > if ("%{sqlnastype:SELECT Value from radcheck where UserName = > '%{User-Name}' and other conditions.. " is not null ) > > Am I doing something wrong or is "is not null" not (yet) implemented? Where does the "is not null" come from? That looks to be SQL syntax, which is *not* implemented. Maybe you mean: "%{sql:SELECT ... where .. is not null }" i.e. the "is not null" appears inside of the %{}, which is inside of the "". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
Something like if ("%{sqlnastype:SELECT Value from radcheck where UserName = '%{User-Name}' and otherconditions}" == 'bla' ) works, whereas I have problems with: if ("%{sqlnastype:SELECT Value from radcheck where UserName = '%{User-Name}' and other conditions.. " is not null ) Am I doing something wrong or is "is not null" not (yet) implemented? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote: > ... The client authenticates via a certificate. Everything > works as expected. Nevertheless someone inspecting the switch logs found: ... > and claimed, the Access-Challenge with Tunnel-Private-Group, > Tunnel-Medium-Type etc. are not RFC compatible. Yes. > I can see those values in radiusd -AX, too, but didn't care. > > My question is: > Is he right? > If so: How would I have to change the configuration? Ideally, the attributes in the reply should be sent ONLY on Access-Accept. i.e. the configuration should NOT update the reply until it has determined that the user has been authenticated. This involves moving most of the policy from the "authorize" section to the "post-auth" section. > In my sites-enabeld/default I have: > ... > # ldap1/2 set control:Huntgroup-Name. > > redundant { Which section? authorize? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I am using a recent 2.0.0-pre cvs snapshot. For 802.1x authentication AD is querried for a valid machine account and VLAN, which the ldap modules put into the radius-attribute Huntgroup-Name. The client authenticates via a certificate. Everything works as expected. Nevertheless someone inspecting the switch logs found: 12277052: .Sep 26 13:33:45.914: RADIUS: Received from id 1645/86 139.25.78.162:1812, *Access-Challenge,* len 1130 12277053: .Sep 26 13:33:45.914: RADIUS: authenticator 41 6D FD 2B B1 E6 81 32 - 92 3A 05 C1 96 B9 A5 E9 12277054: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Private-Group[81] 18 "VL-SBS-AD02-0001" *12277055: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Medium-Type [65] 6 00:ALL_802[6] *12277056: .Sep 26 13:33:45.914: RADIUS: *Tunnel-Type [64] 6 00:VLAN [13] *12277057: .Sep 26 13:33:45.914: RADIUS: EAP-Message [79] 255 and claimed, the Access-Challenge with Tunnel-Private-Group, Tunnel-Medium-Type etc. are not RFC compatible. I can see those values in radiusd -AX, too, but didn't care. My question is: Is he right? If so: How would I have to change the configuration? In my sites-enabeld/default I have: ... # ldap1/2 set control:Huntgroup-Name. redundant { ldap1 ldap2 } # if ("%{sqlnastype:SELECT vl_vlan from vlan where vl_vlan = '%{control:Huntgroup-Name}' and vl_nasname='%{NAS-IP-Address}'}" == "%{control:Huntgroup-Name}" ) { # das vlan gibt es auf dem swicht update reply { Tunnel-Private-Group-ID ="%{control:Huntgroup-Name}" Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN } } .. This works as expected. Sending Access-Challenge of id 135 to 172.31.110.149 port 1645^M Tunnel-Private-Group-Id:0 = "VL-SBS-AD02-0001"^M Tunnel-Medium-Type:0 = IEEE-802^M Tunnel-Type:0 = VLAN^M EAP-Message = 0x0104040a0dc01860160301004a0246030146fa71a8d8d8395908fa88327d699ee4477b8e014f81fc6f5aabfabb26dda89a204f927ec5aaa134ac60f488278826fbd8be697e5826f45b2890e527d58ca26a0a00040016030113710b00136d00136a0005f6308205f2308204daa003020102020a136547850002003ae484300d06092a864886f70d01010505003081f6310b300906035504061302444531133011060a0992268993f22c64011916036e657431173015060a0992268993f22c64011916077369656d656e733110300e060355040a13075369656d656e7331453043060355040b133c49737375696e6720434120666f72206d6163^M EAP-Message = 0x68696e652063657274696669636174657320696e20746865205369656d656e7320414420666f72657374313a3038060355040b1331436f7079726967687420284329205369656d656e73204147203230303320416c6c20726967687473207265736572766564312430220603550403131b5369656d656e732049737375696e6720434120436c617373204144301e170d303730383232323131325a170d303830323138323131325a3025312330210603550403131a64653730313874632e3930312e7369656d656e732e6e657430819f300d06092a864886f70d010101050003818d0030818902818100d420d44e29fdfd018e8ff279b4^M EAP-Message = 0x04d0421c8612c6cd6ba909bb50feca6a71089e6212ef9ae86a3a0cd12f201b25e62ec7395e1365a8bac4477551fed6c41183e2210a3b524e013f80952f7f7efef179f6b48d1a7e219a8e0e789d561b8472485f7792a6e51514018b40e1f90feb314aff3d7a55baceb56b72af1d1bb04ee8a4a30203010001a38202d4308202d0301d0603551d0e041604143349edcf20cbe55a68d010a8df8878bbce1714e4303306092b060104018237150a04263024300a06082b06010505070302300a06082b06010505070301300a06082b06010505080202300b0603551d0f0404030205a030270603551d250420301e06082b0601050507030206082b06010505^M EAP-Message = 0x07030106082b06010505080202303c06092b0601040182371507042f302d06252b060104018237150887e4bc2b85a7c80a85d19529a08c6d819ffa1381219eaf36869ee33d020164020103301f0603551d2304183016801453cf2cd0fe413db6c4731640813764d8702909993081e50603551d1f0481dd3081da3081d7a081d4a081d18681ce6c6461703a2f2f2f434e3d5369656d656e7325323049737375696e672532304341253230436c61737325323041442832292c434e3d6d63686d393335612c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e6669677572^M EAP-Message = 0x6174696f6e2c44433d7369656d656e732c44433d6e65^M Message-Authenticator = 0x^M State = 0xcf369d304b83244706a446310ed5b92e^M Finished request 1 state 5^M Going to the next request^M The complete output can be found at http://www.wegener-net.de:/freeradius Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Norbert Wegener wrote: > The point is, it seems to work only if there is an > authorize_check_query and a authorize_reply_query in the sql module. > So I have to setup an authorize_reply_query with UserName,Attr Nam, > Attr Value, Op, although I am only interested in the answer to the query > above, which might be Cisco, Entrasys or something like that. > > Is there a way to avoid such an authorize_reply_query or even the > authorize_check_query? Code changes in rlm_sql. Maybe for 2.1, or 3.x, we can re-factor the code into "connect to db", and separately, "do something with that data". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I want to use the result from a sql query in something like this: ... switch "%{sqlnastype:SELECT nas.type FROM `nas` WHERE nas.nasname ='%{NAS-IP-Address}'}" { case "Cisco" { ... It works, and it is a great feature. The point is, it seems to work only if there is an authorize_check_query and a authorize_reply_query in the sql module. So I have to setup an authorize_reply_query with UserName,Attr Nam, Attr Value, Op, although I am only interested in the answer to the query above, which might be Cisco, Entrasys or something like that. Is there a way to avoid such an authorize_reply_query or even the authorize_check_query? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html