module return codes
Travis Dimmig
tdimmig at impulse.com
Thu Nov 13 20:19:12 CET 2014
I can't figure out how to get modules to return with the codes I want them too. I have (what I believe to be) a very simple policy for checking if a request looks like a MAC authentication request. I would like the policy module return to be able to indicate if the request looks like it's MAC authentication or not.
I have a policy defined in policy.conf as follows:
check.mac_authentication {
if ( (Calling-Station-Id) && (User-Name) ) {
if ( "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i ) {
update request {
Tmp-String-0 := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"
}
}
if ( "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i ) {
update request {
Tmp-String-1 := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"
}
}
}
if ( (Tmp-String-0) && (Tmp-String-1) && "%{Tmp-String-0}" == "%{Tmp-String-1}" ) {
ok
}
else {
noop
}
}
The goal is to return "ok" if both attributes exist, look like mac addresses, and have the same value (after being normalized to lower-case and having delimiters removed). Otherwise, it should return "noop".
What is happening instead:
+++- entering policy check.mac_authentication {...}
++++? if ((Calling-Station-Id) && (User-Name) )
?? Evaluating (Calling-Station-Id) -> TRUE
?? Evaluating (User-Name) -> TRUE
++++? if ((Calling-Station-Id) && (User-Name) ) -> TRUE
++++- entering if ((Calling-Station-Id) && (User-Name) ) {...}
+++++? if ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i )
expand: %{User-Name} -> 11bbccddeeff
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++++? if ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i ) -> TRUE
+++++- entering if ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i ) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 11bbccddeeff
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> 11bbccddeeff
++++++[request] returns ok
+++++- if ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i ) returns ok
+++++? if ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i )
expand: %{Calling-Station-Id} -> AA-BB-CC-DD-EE-FF
expand: policy.mac-addr -> policy.mac-addr
expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
+++++? if ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i ) -> TRUE
+++++- entering if ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i ) {...}
expand: %{1}%{2}%{3}%{4}%{5}%{6} -> AABBCCDDEEFF
expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> aabbccddeeff
++++++[request] returns ok
+++++- if ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i ) returns ok
++++- if ((Calling-Station-Id) && (User-Name) ) returns ok
++++? if ((Tmp-String-0) && (Tmp-String-1) && "%{Tmp-String-0}" == "%{Tmp-String-1}" )
?? Evaluating (Tmp-String-0) -> TRUE
?? Evaluating (Tmp-String-1) -> TRUE
expand: %{Tmp-String-0} -> 11bbccddeeff
expand: %{Tmp-String-1} -> aabbccddeeff
? Evaluating ("%{Tmp-String-0}" == "%{Tmp-String-1}" ) -> FALSE
++++? if ((Tmp-String-0) && (Tmp-String-1) && "%{Tmp-String-0}" == "%{Tmp-String-1}" ) -> FALSE
++++- entering else else {...}
+++++[noop] returns noop
++++- else else returns noop
+++- policy check.mac_authentication returns ok
When execution enters the final "else" with the noop, why does the module still return "ok" ?
Any help will be greatly appreciated....
-Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141113/94f6e301/attachment-0001.html>
More information about the Freeradius-Users
mailing list