FW: SoH - FR 2.1.11

Palmer J.D.F. J.D.F.Palmer at swansea.ac.uk
Thu Jul 14 22:00:20 CEST 2011


Phil,

It would seem I must have made a typo, Gareth has tried this again and
due to his golden touch the array is now being evaluated.  
Sorry for the confusion.

Cheers,
Jezz.

-----Original Message-----
From: Ayres G.J. 
Sent: 14 July 2011 17:02
To: Palmer J.D.F.
Subject: RE: SoH - FR 2.1.11

I just tried this out of curiosity and it worked :S

[peap] Processing SoH request
        SoH-Supported = yes
        SoH-MS-Machine-OS-vendor = Microsoft
        SoH-MS-Machine-OS-version = 6
        SoH-MS-Machine-OS-release = 1
        SoH-MS-Machine-OS-build = 7600
        SoH-MS-Machine-SP-version = 0
        SoH-MS-Machine-SP-release = 0
        SoH-MS-Machine-Processor = x86_64
        SoH-MS-Machine-Name = "jezztosh"
        SoH-MS-Correlation-Id =
0xa381264b0c2d4feeb2ebf9bb7c00b94501cc423e63ba7481
        SoH-MS-Machine-Role = client
        SoH-MS-Windows-Health-Status = "firewall ok snoozed=0
microsoft=1 up2date=1 enabled=1"
        SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0
microsoft=0 up2date=1 enabled=1"
        SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0
microsoft=0 up2date=1 enabled=1"
        SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0
microsoft=1 up2date=1 enabled=0"
        SoH-MS-Windows-Health-Status = "auto-updates ok action=download"
        SoH-MS-Windows-Health-Status = "security-updates warn
some-missing"
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "testuser"
        Calling-Station-Id = "4c-ed-de-1c-56-2f"
        Called-Station-Id = "00-0f-34-46-82-50:devroam"
        NAS-Port = 29
        NAS-IP-Address = 10.10.246.238
        NAS-Identifier = "Slot11-Port1"
        Airespace-Wlan-Id = 3
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "654"
[peap] server soh-server {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/soh-server
+- entering group authorize {...}
++? if (SoH-Supported == no)
? Evaluating (SoH-Supported == no) -> FALSE
++? if (SoH-Supported == no) -> FALSE
++- entering else else {...}
+++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/)
        expand: %{SoH-MS-Windows-Health-Status[*]} -> firewall ok
snoozed=0 microsoft=1 up2date=1 enabled=1 antivirus ok snoozed=0
microsoft=0 up2date=1 enabled
=1 antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 antispyware
ok snoozed=0 microsoft=1 up2date=1 enabled=0 auto-updates ok
action=download security-up
dates warn some-missing
? Evaluating ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) -> TRUE
+++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) -> TRUE
+++- entering if ("%{SoH-MS-Windows-Health-Status[*]}" =~
/security-updates (warn|error)/) {...}
++++[config] returns notfound
++++[reply] returns notfound
+++- if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) returns notfound
+++ ... skipping else for request 7: Preceding "if" was taken
++- else else returns notfound
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user


So looks like it correctly evaluates it against the whole
SoH-MS-Windows-Health-Status array to me:
? Evaluating ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) -> TRUE
+++? if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /security-updates
(warn|error)/) -> TRUE
+++- entering if ("%{SoH-MS-Windows-Health-Status[*]}" =~
/security-updates (warn|error)/) {...}



> -----Original Message-----
> From: freeradius-users-
> bounces+g.j.ayres=swansea.ac.uk at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+g.j.ayres=swansea.ac.uk at lists.freeradius.org] On Behalf Of
> Palmer J.D.F.
> Sent: 14 July 2011 15:59
> To: FreeRadius users mailing list
> Subject: RE: SoH - FR 2.1.11
> 
> Thanks Phil & Arran,
> 
> I keep starting reply emails and another arrives before I get to send
> them.
> 
> I've tried array hack, that fails even with 'firewall' as the
> condition.
> if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /firewall/), where as if
> (SoH-MS-Windows-Health-Status =~ /firewall/) is satisfied.
> 
> Cheers,
> Jezz.
> 
> > -----Original Message-----
> > From: freeradius-users-
> > bounces+j.d.f.palmer=swansea.ac.uk at lists.freeradius.org
> > [mailto:freeradius-users-
> > bounces+j.d.f.palmer=swansea.ac.uk at lists.freeradius.org] On Behalf
Of
> > Phil Mayers
> > Sent: 14 July 2011 15:45
> > To: freeradius-users at lists.freeradius.org
> > Subject: Re: SoH - FR 2.1.11
> >
> > On 14/07/11 15:24, Phil Mayers wrote:
> >
> > > I thought that the =~ regexp operator tried all attributes on the
> > > left-hand side; that is, I thought it looped through until it got
> > > first-match.
> > >
> > > If it doesn't, then the idea of squeezing all the SoH data into a
> > > multiple instances of a single text attribute is going to need
> > > revisiting (or the "foreach" unlang operator will need
> backporting!)
> >
> > Damn. You're right. It just looks at the first attribute.
> >
> > Erm.... Hmm. That's a problem. It makes checking the attributes
> really
> > painful. Blast. Sorry about that.
> >
> >
> > Maybe try this, which is a horrible hack:
> >
> > if ("%{SoH-MS-Windows-Health-Status[*]}" =~ /antivirus
(warn|error)/)
> {
> >    ...
> > }
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list