Using multiple auth methods, ports

Tue Feb 21 22:22:54 CET 2006

Hi Phil (et al),

In case others on the list are interested, I was able to get this working with
last nights CVS checkout by setting a hints entry of:

	DEFAULT         User-Name =~ "^(.*)$"
        	        Hint = "Port-%{request:Packet-Dst-Port}"

And users entries of:

	geoff    Auth-Type := Accept, Huntgroup-Name == "office", Hint == "Port-1645"

	geoff    Auth-Type := Local, User-Password == "mypassword", Huntgroup-Name ==
"office", Hint == "Port-1812"

I went through the diff's between production 1.1.0 and CVS and ended up
creating the following patch, based on the CVS 2.0.0pre0 code.  Are there any
developers on this list, and if so, would anyone be willing to add the
following patch into the next 1.1.x release (I hate to subscribe to the -devel
list just to ask if anyone will include this patch)?

--- src/main/xlat.c.orig     6 Feb 2006 20:52:20 -0000       1.1
+++ src/main/xlat.c     21 Feb 2006 21:17:56 -0000
@@ -196,6 +196,10 @@
                 *      FIXME: Add SRC/DST IP address!
                 */
                if (packet) {
+                       VALUE_PAIR localvp;
+
+                       localvp.strvalue[0] = 0;
+
                        switch (da->attr) {
                        case PW_PACKET_TYPE:
                        {
@@ -210,12 +214,26 @@
                                return strlen(out);
                        }
                        break;
+
+                        case PW_PACKET_SRC_PORT:
+                                localvp.attribute = da->attr;
+                                localvp.lvalue = packet->src_port;
+                                break;
+
+                        case PW_PACKET_DST_PORT:
+                                localvp.attribute = da->attr;
+                                localvp.lvalue = packet->dst_port;
+                                break;

                        default:
+                               return 0;
                                break;
                        }
-               }

+                        localvp.type = da->type;
+                        return valuepair2str(out, outlen, &localvp,
+                                             da->type, func);
+               }
                /*
                 *      Not found, die.
                 */

--- src/include/radius.h.orig        6 Feb 2006 20:52:20 -0000      1.1
+++ src/include/radius.h        21 Feb 2006 21:18:29 -0000
@@ -183,8 +183,9 @@
 #define PW_REWRITE_RULE                1078
 #define PW_SQL_GROUP                   1079
 #define PW_RESPONSE_PACKET_TYPE        1080
-#define PW_PACKET_DST_PORT             1081
 #define PW_MS_CHAP_USE_NTLM_AUTH       1082
+#define PW_PACKET_SRC_PORT             1086
+#define PW_PACKET_DST_PORT             1087

 /*
  *     Integer Translations



Phil Mayers wrote:
> I assume you mean Packet-Dst-Port, but yes that would be the way to do it.
> 
> Looking at it, it appears this is in CVS head but not in my tarball of
> 1.1.0. doc/variables.txt in a CVS checkout lists Packet-Dst-Port as
> supported and it's in the xlat_packet function.
> 
> What I can't figure out is how you might do this:
> 
> DEFAULT %{request:Packet-Dst-Port}==1234, Autz-Type := "cert"
> 
> ...i.e. have an expansion on the left hand side. I'm not sure you can,
> but the code is quite big and I've only scanned it.
> 
> What you can do (in CVS head) is use the following in the hints file
> (which is actually quite appropriate):
> 
> DEFAULT User-Name =~ "^(.*)$"
>         Hint = "%{request:Packet-Dst-Port}"
> 
> ...the have the "users" file read:
> 
> DEFAULT Hint=="THEDESTPORT", Auth-Type := Accept

