2.0.0 documentation for radiusd.conf.

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Jun 14 13:23:40 CEST 2007


Alan Dekok wrote:
> Arran Cudbard-Bell wrote:
>>>> Control instead of config ?
> ...
>> Both appear to work and do the same thing when updating things...
> 
>   I didn't want to break existing 2.0.0-pre systems.  But "config" will
> be removed before 2.0.0-final.
> 
>> It appears that either update request is broken,
>> or something else weird is happening.
> 
>   OK.  There was a corner case where if the attribute set via "=" or
> ":=", and not already in the destination list, it wouldn't be added.
> I've committed a fix.
> 
>   To see for yourself what's going on with the internals of the
> condition matching and attribute adding, do: radiusd -xxxxx :)
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Lines and lines and lines and lines !

Thu Jun 14 10:55:17 2007 : Debug: ++? if ("%{NAS-IP-Address}" == 
"127.0.0.1") -> TRUE
Thu Jun 14 10:55:17 2007 : Debug: ++- entering if ("%{NAS-IP-Address}" 
== "127.0.0.1")
Thu Jun 14 10:55:17 2007 : Debug:       expand: %{Packet-Src-IP-Address} 
-> 139.184.6.42
Thu Jun 14 10:55:17 2007 : Debug: FROM 1 TO 12 MAX 13
Thu Jun 14 10:55:17 2007 : Debug: OVERWRITING NAS-IP-Address FROM 0 TO 1
Bus error

# USERNAME FORMATTING
# User-Name Formatting, extracts Realm, User. Ignores NT domain
# This will accept
# * user
# * user at domain
# * ntdomain\\user
# * ntdomain\\user at domain
# * user-emergency*
if(("%{User-Name}" =~ /([^-]+)-emergency-/) || ("%{User-Name}" =~ 
/\\\\?([^@\\\\]+)@?([-[:alnum:]._]*)?$/)) {
         if(("%{2}" == "") || ("%{2}" == "sussex.ac.uk")){
                 update request {
                         Stripped-User-Name := "%{1}"
                         Realm := "local"
                 }
         }
         else{
                 update request {
                         Stripped-User-Name := "%{0}"
                         Realm = "%{2}"
                 }
         }
}
# PROXYING LOGIC
# Eventually if we ever need to proxy to multiple locations we can do 
checks here, but for now assume all non local realms go through JRS
switch "%{Realm}" {
         case "local" {
                 # Don't do any proxy stuff here, request will be 
handled later.
         }
         case {
                 update control {
                         Proxy-To-Realm := "jrs"
                 }
                 update request {
                         Realm := "jrs"
                }
         }
}

#  Rewrite macs using attr rewrite.
#  * Write uniform mac addresses with seperators removed
uniform_called_id
uniform_calling_id

# SET CERTAIN ATTRIBUTE DEFAULTS
# If the request is coming in from an offsite proxy then set the 
service-type to authenticate only.
# this saves us doing some authorisation checks.
if("%{Huntgroup-Name}" == "jrs-proxy"){
         update request {
                 Service-Type = Authenticate-Only
         }
}
# Some NASs don't write a Service-Type in the access request
# packets. For packets with no Service-Type, assume the user is a framed 
user.
elsif("%{Service-Type}" == ""){
         update request {
                 Service-Type = Framed-User
         }
}
# Apple airports send the wrong NAS-Port-Type, so correct this.
# if nas didn't send a NAS-Port-Type assume it's wireless.
if(("%{NAS-Port-Type}" == "")||("%{NAS-Port-Id}" =~ /wl[0-9]*/)){
     update request {
             NAS-Port-Type = "Wireless-802.11"
     }
}
# Some devices send their loopback address as Nas IP Address, overwrite 
this with packet source.
if("%{NAS-IP-Address}" == "127.0.0.1"){
     update request {
         NAS-IP-Address := "%{Packet-Src-IP-Address}"
     }
}
#  HP Access Points send called-station-id:ssid correct this here.
#  Seperate into Called-Station-Id and Called-Station-SSID
#  Then do lookup on Called-Station-SSID, instead of Called-Station-Id
if("%{Called-Station-Id}" =~ /(.*):(.*)/) {
         update request {
                 Stripped-Called-Station-Id = "%{1}"
                 Called-Station-SSID = "%{2}"
                 Nas-Flags = "%{sql_clients:SELECT 
EXPORT_SET(ssid_defaults.nas_flags,'1','0','',30) FROM `ssid_defaults` 
WHERE ssid_defaults.ssid_name = '%{Called-Station-SSID}' LIMIT 0,1}"
         }
         }
         #  Fix stupid bug in recent hp firmwares, don't perform lookup 
on last hex pair.
         #  Remember to put SQL statement back to normal later
         elsif("%{Called-Station-Id}" =~ /(^[[:alnum:]]{10})/){
         update request {
             Nas-Flags  = "%{sql_clients:SELECT 
EXPORT_SET(master.nas_flags,'1','0','',30) FROM `master` WHERE 
master.hw_address LIKE '%{1}%'  LIMIT 0,1}"
         }
}
update request {
             Supplicant-Flags = "%{sql_clients:SELECT 
EXPORT_SET(master.supplicant_flags,'1','0','',10) FROM `master` WHERE 
master.hw_address = '%{Calling-Station-Id}' LIMIT 0,1}"
}


--

Oh and empty case statements screw things up in strange and weird ways...

case local with content

++- entering switch %{Realm}
+++- entering case local
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
++++[preprocess] returns ok
+++- case local returns ok
++- switch %{Realm} returns ok

Though still not sure why it's expanded packet-src-ip-address there ... 
though it's probably some weird debugging output issue...

In preacct without content

++- entering switch %{Realm}
+++- entering case local
++++- preacct returns noop
+++- switch %{Realm} returns noop
++- switch %{Realm} returns noop
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42
         expand: %{Packet-Src-IP-Address} -> 139.184.6.42

In authorize without content

++- entering switch %{Realm}
+++- entering case local
++++- authorize returns notfound
+++- switch %{Realm} returns notfound
++- switch %{Realm} returns notfound

But thats pretty minor compared with the bus issue... still trying to 
track down whats causing it ... = works fine := breaks ...

--

But anyway, still loving the unlang, it's made things so much easier !

We have three different models of NAS, each with their own weirdnesses...

Apple airports send Ethernet as their medium type ...

HP530s Don't send a service-type in the request, they also send their 
loopback address as NAS-IP-Address ?! And they do a weird thing with 
appending the SSID to the called-station-id ...
They also don't send a NAS-Identifier, which makes things fun in terms 
of accounting records.

HP 2626 switches, with firmware revision H.10.35 get the first 10 chars 
of their own mac address right, then screw up the last two ...

They also flip flop between which mac address they're going to send (in 
normal unbroken firmware)... Ooo what will it be for this major 
revision, the management MAC or the base MAC, or the MAC address of 
network node 5 on port 19...

Then you have users who enter user at sussex.ac.uk domain sussex.ac.uk in 
the windows supplicant, which comes out as

sussex.ac.uk/user at sussex.ac.uk

But anyway, trying to deal with this in the users file was getting 
increasingly unfun, so your work on unlang much appreciated :)

--
Oh and update request is now unbroken , thanks .

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900



More information about the Freeradius-Users mailing list