Nas-IP-Address regexp matching in hints/huntgroups working in 2.2.0 and not in 3.0.13
Gianni Costanzi
gianni.costanzi at gmail.com
Fri Dec 15 12:29:59 CET 2017
On Thu, Dec 7, 2017 at 6:24 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
> authorize section of the default virtual server for a vanilla install.
> AFTER the modules that service the request but before the first calls to eg
> pap and EAP etc
>
> alan
>
> > if (User-Name =~ /^(xx[e0][0-9]{3})$/) \
> > && NAS-IP-Address !~ /10\.10\.1\.11[89]$/ \
> > && NAS-IP-Adddress !~ /10\.10\.2\.(10|20)$/)
> > {
> > User-Name := "%{User-Name}@imp"
> > }
> >
> > If this should work, I still don't know in which configuration file I
> > should put this code in order to manipulate the User-Name in the
> > preprocessing step, before authentication on SQL/files happens.
> >
> > Best regards,
> > Gianni Costanzi
>
>
Hi,
I've tried to add the following code within authorize section of default
virtual server, just after the preprocess directive:
preprocess
if (&User-Name =~ /^AAAAA$/) {
update request {
&User-Name := "BBBBB"
}
}
It seems to work (radius debug says noop for that block of code but the
User-Name is correctly translated from AAAA to BBBB).
So I've tried to implement the code I need to replicate what I was using in
older Freeradius:
if (&User-Name =~ /^(xx[e0][0-9]{3})$/ \
&& NAS-IP-Address !~ /REGEXP/ \
&& NAS-IP-Address !~ /REGEXP/ \
&& NAS-IP-Address !~ /REGEXP/ \
[...]
&& NAS-IP-Address !~ /REGEXP/ \
&& NAS-IP-Address !~ /REGEXP/ {
update request {
&User-Name := "%{User-Name}@myrealm"
}
}
The problem now is that there are too many conditions and radius server
does not start:
including configuration file /etc/raddb/sites-enabled/default
/etc/raddb/sites-enabled/default[273]: Reference "(&User-Name =~
/^(xx[e0][0-9]{3})$/ && NAS-IP-Address !~ [...]
[...]&& NAS-IP-Address !~ /REGEXP/ ) " is too long
Failed expanding section name
/etc/raddb/sites-enabled/default[326]: Failed allocating memory for section
Errors reading or parsing /etc/raddb/radiusd.conf
If I reduce the number of "&& NAS-IP-Address" rows it works.
I'd like to implement the following work-around code, splitting the check
of NAS-IP-Addresses in multiple If blocks, but I need your help to tell me
if and how I can set a temporary variable match_found:
if (&User-Name =~ /^(xx[e0][0-9]{3})$/) {
match_found = 0
if (NAS-IP-Address =~ /REGEXP/ \
&& NAS-IP-Address =~ /REGEXP/ \
&& NAS-IP-Address =~ /REGEXP/ \) {
match_found = 1
}
[...]
if (NAS-IP-Address =~ /REGEXP/ \
&& NAS-IP-Address =~ /REGEXP/ \
&& NAS-IP-Address =~ /REGEXP/ \) {
match_found = 1
}
if (match_found == 0) {
update request {
&User-Name := "%{User-Name}@myrealm"
}
}
}
The logic would be the same, change the Username only if it matches the
username regexp and does not match any of the NAS-IP-Address regexps.
Can I allocate a temporary variable like match_found? It doesn't work as
I've written above (/etc/raddb/sites-enabled/default[273]: Errors parsing
authorize section.).
Furthermore, could I have the same "memory allocation for section" error
even with the code above? I don't know how radius is working behind the
scenes with this
Unlang code, so I need your help.
Best regards, thank you in advance for any help
Gianni Costanzi
More information about the Freeradius-Users
mailing list