Get Attributte Value inside an Module

Thu Feb 21 13:58:21 CET 2013

On Thu, Feb 21, 2013 at 08:55:48AM +0100, Patrick Ko wrote:
>    i want to know if it is possible the get The Attributtes Value inside
>    an Module!

If you want to map the string "Cisco-VPN-Client" to the value 1, this is
probably possible using a dict lookup, but if you look at the rest of the
freeradius code you'll see the attribute values are usually hard-coded in
constants.

$ grep -R PW_ src/include
...
src/include/radius.h:#define	PW_USER_NAME			1
src/include/radius.h:#define	PW_USER_PASSWORD		2
src/include/radius.h:#define	PW_PASSWORD			2
src/include/radius.h:#define	PW_CHAP_PASSWORD		3
src/include/radius.h:#define	PW_NAS_IP_ADDRESS		4
src/include/radius.h:#define	PW_NAS_PORT			5
...
src/include/radius.h:#define	PW_LOGIN_USER			1
src/include/radius.h:#define	PW_FRAMED_USER			2
src/include/radius.h:#define	PW_CALLBACK_LOGIN_USER		3
src/include/radius.h:#define	PW_CALLBACK_FRAMED_USER		4

That is: the RFCs define the numeric values sent on the wire, not the
dictionary names.  The values never change, so by using the values directly
you save the overhead of a dictionary lookup and you isolate yourself from
problems caused by bad dictionaries.

If you want to convert the value 1 for attribute CASA-Client-Type to the
string "Cisco-VPN-Client" (e.g.  for logging) then this will be possible via
the dictionary, but beware that the dictionary may define multiple names
mapping to the same value for backwards-compatibility, in which case you'll
get only one of them.

>    I want this because I want to know inside my Module if the connected
>    Client is "annyConnect " etc. to create an Action!

Then the action probably should depend on the numeric value, not the string
in the dictionary.

#define PW_CLIENT_CISCO_VPN_CLIENT		1
#define PW_CLIENT_ANYCONNECT_CLIENT_SSL_VPN	2
#define PW_CLIENT_CLIENTLESS_SSL_VPN		3

...

switch(value){
case PW_CLIENT_CISCO_VPN_CLIENT:
    ...
    break;
case PW_CLIENT_ANYCONNECT_CLIENT_SSL_VPN:
    ...
    break;

However: almost certainly you're going about this the wrong way by writing a
C module.  What is it you're trying to do that cannot be done using the
built-in 'unlang' language? You can write things like:

authorize {
    if (CASA-Client-Type == Cisco-VPN-Client) {
        ... do stuff, invoke database lookups, modify the reply, etc etc
        update reply {
            Reply-Message += "Welcome, VPN Client"
        }
    }
    ... etc
}

Regards,

Brian.