Question regarding multivalued attributes in control list.

Olivier Beytrison olivier at heliosnet.org
Fri Sep 2 15:47:36 CEST 2011 

Hello,

I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.

I've been looking to checkval, using the "users" file and such but with
no luck.

I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.

I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.

At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.

So far, that's what I've been using :

In virtual server, at the end of authorize {}

          if (NAS-IP-Address =~ /160\.98\.156\..*/) {
                  $INCLUDE ${confdir}/secure-hefr.policy

          }

secure-hefr.policy content :


if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
        update reply {
                Airespace-Interface-Name := "wifi_eia-etu"
        }
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
        update reply {
                Airespace-Interface-Name := "wifi_eia-col"
        }
}
elsif {
}
[ ... ]

Some debug from a user who is multi-valued :

server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm "hefr.ch" for User-Name = "didier.perroud at hefr.ch"
[suffix] Found realm "hefr.ch"
[suffix] Adding Realm = "hefr.ch"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log]      expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]      expand: %t -> Fri Sep  2 15:45:08 2011
++[auth_log] returns ok
[linelog]       expand: %{Packet-Type} -> Access-Request
[linelog]       expand: %{%{Packet-Type}:-format} -> Access-Request
[linelog]       expand: /var/log/freeradius/linelog ->
/var/log/freeradius/linelog
[linelog]       expand: Requested access: %{User-Name} -> Requested
access: didier.perroud at hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
        expand: %{1} -> didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap]  expand: (uid=%{Stripped-User-Name}) -> (uid=didier.perroud)
[ldap]  expand: ou=courant,ou=people,o=hefr -> ou=courant,ou=people,o=hefr
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password ******* in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY ==
"RORG-HEFR-EIFR-TICO-TLCO-$-RSM"
  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RORG-MASO-$-RCA"
  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY ==
"RACA-TICO-MSEI-MTIC-$-RCA"
[ldap] looking for reply items in directory...
  [ldap] hessoRoleMemberKey -> Class =
0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
  [ldap] hessoRoleMemberKey -> Class = 0x524f52472d4d41534f2d242d524341
  [ldap] hessoRoleMemberKey -> Class =
0x524143412d5449434f2d4d5345492d4d5449432d242d524341
[ldap] user didier.perroud authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE
++? if (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE
++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...}
+++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
? Evaluating (control:HESSO-MEMBER-KEY =~
/RORG-HEFR-EIFR-INTR-INFO-.-RSM/) -> FALSE
+++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
-> FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ )
? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) -> FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) -> FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ )
? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) -> TRUE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) -> TRUE
+++- entering elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/
) {...}

We can see that it didn't match control:HESSO-MEMBER-KEY =~
/RORG-MASO.*RCA$/ while it has the correct value in the control list.

How can I match this multi-valued attribute ?

Regards,
Olivier B.

-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg

More information about the Freeradius-Users mailing list