Unstructured Attr-26 in unlang

Bjørn Mork bjorn at mork.no
Tue Mar 28 17:59:20 CEST 2017 

Alan DeKok <aland at deployingradius.com> writes:

> On Mar 28, 2017, at 10:47 AM, Brian Candler <b.candler at pobox.com> wrote:
>> 
>> (FreeRADIUS 3.0.13 under CentOS)
>> 
>> I am trying to deal with a broken device (Aten) which requires an unstructured attribute 26 [^1].
>
>   They deserve to be shamed.  There is just no excuse for this kind of stupidity.

Yes, you should worry a bit about the part of their radius client
implementation you don't see...  Wonder how secure the code is if they
cannot even get the basic stuff right?

Power off and return seems like the best option.


>> Tue Mar 28 14:01:27 2017 : Error: /etc/raddb/policy.d/localpolicy[155]: Invalid vendor name in attribute name "0x73752f61646d696e6973747261746f72"\
>
>   That's... bizarre.  I've tracked it down and pushed a fix to the error message.
>
>   But the underlying issue is still the same.  The LHS is being converted from Attr-26 to Vendor-Specific, and then tries to parse the RHS as a VSA... which doesn't work.
>
>   We've put some time into fixing this in v4:
>
> https://github.com/FreeRADIUS/freeradius-server/issues/1883
>
>> And if I try this:
>> 
>>      update reply {
>>        &Attr-26 = "su/administrator"
>>      }
>> 
>> Tue Mar 28 14:25:56 2017 : Error: /etc/raddb/policy.d/localpolicy[154]: Must use 'Attr-26 = ...' instead of 'Vendor-Specific = ...'
>> 
>> That's an even stranger error: I *am* using Attr-26 like it says!!
>
>   That's due to the auto-conversion again.  I'll take a look...
>
>> Any suggestions how I can get this to work, other than switching from unlang to files module?
>
>   Use the files module for now.  The unlang fixes may take a day or so.

Another hackish workaround is to define your own "26" attribute in the
dictionary.  Just tried this using the Debian sid freeradius package,
which is based on 3.0.12, and it seems to "work":


frtest3:~# tail /etc/freeradius/3.0/dictionary 

#
#       These attributes are examples
#
#ATTRIBUTE      My-Local-String         3000    string
#ATTRIBUTE      My-Local-IPAddr         3001    ipaddr
#ATTRIBUTE      My-Local-Integer        3002    integer

ATTRIBUTE       AtenIsCrazy     26      octets


frtest3:~# cat /etc/freeradius/3.0/policy.d/foo 
foo {
      update reply {
        # Vendor-Specific = "su/administrator"
        &Attr-26 = 0x73752f61646d696e6973747261746f72
      }
}

frtest3:~# echo -e "User-Name=foo\nUser-Password=bar"|radclient -x 127.0.0.1 auth testing123
Sent Access-Request Id 45 from 0.0.0.0:41151 to 127.0.0.1:1812 length 43
        User-Name = "foo"
        User-Password = "bar"
        Cleartext-Password = "bar"
Received Access-Accept Id 45 from 127.0.0.1:1812 to 0.0.0.0:0 length 38
        AtenIsCrazy = 0x73752f61646d696e6973747261746f72


Ready to process requests
(0) Received Access-Request Id 224 from 127.0.0.1:41327 to 127.0.0.1:1812 length 43
(0)   User-Name = "foo"
(0)   User-Password = "bar"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "foo", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry foo at line 91
(0)     [files] = ok
(0)     policy foo {
(0)       update reply {
(0)         AtenIsCrazy = 0x73752f61646d696e6973747261746f72
(0)       } # update reply = noop
(0)     } # policy foo = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 224 from 127.0.0.1:1812 to 127.0.0.1:41327 length 0
(0)   AtenIsCrazy = 0x73752f61646d696e6973747261746f72
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 224 with timestamp +13
Ready to process requests



But I assume you break all other vendor attributes, so it is not a godd
idea if you are using the server for multi-vendor equipment




Bjørn

More information about the Freeradius-Users mailing list