Nas-IP-Address regexp matching in hints/huntgroups working in 2.2.0 and not in 3.0.13
Gianni Costanzi
gianni.costanzi at gmail.com
Thu Dec 7 15:35:21 CET 2017
> > 2) if they do not work anymore, how should I implement "if you are user
> > XXXX (with regexp) and the NAS-IP-Address is not one of the listed ones,
> > then do User-Name manipulation?
>
> Use Unlang
>
> if ((User-Name =~ /regex/) && \
> ((NAS-IP-Address =~ /regex/) || \
> (NAS-IP-Address =~ /regex/) ...
>
> But realistically, if you have a list of IP addresses, it's better to
> put them into groups, and check the group. See "rlm_passwd", and "man
> rlm_passwd".
>
> You can create groups which match a list of addresses (no regex), and
> then just do group checking.
>
> Alan DeKok.
>
Hi Alan,
I was thinking about what you've told me yesterday.. I think that matching
NAS-IP-Addresses in order to set a specific "group" attribute as you've
suggested can work to replace the huntgroups logic I'm using in the old
Freeradius 2.2.0 config..
If I've understood well, implementing the hints' file logic I'm using in
2.2.0 must be done with Unlang, so the following hints code
DEFAULT User-Name =~ "^(xx[e0][0-9]{3})$", NAS-IP-Address !~
"10\.10\.1\.11[89]$", NAS-IP-Address !~ "10\.10\.2\.(10|20)$"
User-Name := "%{User-Name}@imp"
should become this Unlang code:
if (User-Name =~ /^(xx[e0][0-9]{3})$/) \
&& NAS-IP-Address !~ /10\.10\.1\.11[89]$/ \
&& NAS-IP-Adddress !~ /10\.10\.2\.(10|20)$/)
{
User-Name := "%{User-Name}@imp"
}
If this should work, I still don't know in which configuration file I
should put this code in order to manipulate the User-Name in the
preprocessing step, before authentication on SQL/files happens.
Best regards,
Gianni Costanzi
More information about the Freeradius-Users
mailing list