Proxy / reply translation

Richard J Palmer richard at merula.net
Sat Nov 11 21:16:40 CET 2017 

Hi

I can almost certainly test this with the remote radius server - I am 
just waiting for the remote server to be configured to allow me access 
- and in the mean time was trying to test my config locally.

>From the log

if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {

ERROR: Failed retrieving values required to evaluate condition

I assume that &Cisco-AVPair is not available here and I should be 
using  something else (or I could have totally the wrong reason).

Ultimately the aim was to check if what had written worked before I 
had access to the upstream server. If it's easier just to wait I 
shall.

Thanks in advance

Richard




On Saturday 11/11/2017 at 7:39 pm, Alan Buxey  wrote:
> Best test would be to have a remote radius server sending back replies 
> like
> you will have as using some local stuff added via SQL isn't going to 
> be the
> same , goes through different sections,
>
> alan
>
> On 11 Nov 2017 7:33 pm, "Richard J Palmer" <richard at merula.net> wrote:
>
>>
>> HI Alan
>>
>> I will be using it for Proxy. However I was trying to test / use this
>> locally as well while debugging the server / code.
>>
>> Ideally it would be nice to allow both options to work but I am 
>> flexible
>> if it's easier just to use this for requests that are proxied
>>
>> Thanks
>>
>> Richard
>>
>>
>>
>>
>> On Saturday 11/11/2017 at 7:14 pm, Alan Buxey  wrote:
>>
>>>
>>> You say you need to modify a reply from their radius server - this 
>>> will be
>>> in the post-proxy section?
>>>
>>> Also  if (&reply:Cisco-AVPair ...  ?
>>>
>>> alan
>>>
>>>
>>> On 11 Nov 2017 6:37 pm, "Richard J Palmer" <richard at merula.net> wrote:
>>>
>>> Hi
>>>
>>> Sorry for the delay. I am getting close with this I think... BUT 
>>> something
>>> seems to be slightly wrong.
>>>
>>> Happy to post a full log as needed - BUT I hope the bit I need is 
>>> here:
>>>
>>> (2) sql1:   Framed-Route = ""
>>> (2) sql1:   Framed-IP-Address = 1.2.3.1
>>> (2) sql1:   Framed-IP-Netmask = 255.255.255.248
>>> (2) sql1:   Cisco-AVPair += "ip:route=1.2.3.0 255.255.255.248"
>>> (2) sql1:   Filter-Id = "P"
>>> (2) sql1:   Chargeable-User-Identity = "richard2"
>>>
>>> <group SQL statements>
>>>
>>> (2) sql1: Group "Hotspot": Merging reply items
>>> (2) sql1:   Acct-Interim-Interval = 600
>>>
>>> (2)       [sql1] = ok
>>> (2)     } # redundant = ok
>>> (2)     policy rewrite_routes {
>>> (2)       if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>> (2)       ERROR: Failed retrieving values required to evaluate 
>>> condition
>>> (2)     } # policy rewrite_routes = ok
>>>
>>> (2) Login OK: [richard2] (from client local port 1)
>>> (2) Sent Access-Accept Id 69 from 127.0.0.1:1645 to 127.0.0.1:48919
>>> length 0
>>> (2)   Framed-IP-Address = 1.2.3.1
>>> (2)   Framed-IP-Netmask = 255.255.255.248
>>> (2)   Cisco-AVPair = "ip:route=1.2.3.0 255.255.255.248"
>>> (2)   Filter-Id = "P"
>>> (2)   Chargeable-User-Identity = "richard2"
>>> (2)   Acct-Interim-Interval = 600
>>> (2) Finished request
>>>
>>>
>>> In my authorise section I have placed:
>>>
>>> redundant {
>>>                    sql1
>>>                    sql2
>>>                    handled
>>>            }
>>> #     -sql
>>>            rewrite_routes
>>>
>>> (The other sections are there - this is just to show where what I hope 
>>> is
>>> relevant. The code itself is based on the code provided below
>>>
>>> rewrite_routes  {
>>>
>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>> switch "%{2}" {
>>>            case "255.255.255.255" {
>>>                    update reply {
>>>                        Framed-Route = "%{1}/32"
>>>                }
>>>            }
>>>            case "255.255.255.254" {
>>>                    update reply {
>>>                        Framed-Route = "%{1}/31"
>>>                    }
>>>            }
>>>
>>>
>>> and so on (it is in the policy.d folder)
>>>
>>> I am aware the key to this is the error
>>>
>>> (2)       ERROR: Failed retrieving values required to evaluate 
>>> condition
>>>
>>> What I am unclear about is why this is failing / and what I have done
>>> wrong
>>> here to cause this. If you can give me one more pointer here I'd
>>> appreciate
>>> it
>>>
>>> More than happy to send any of the extra config or log as needed
>>>
>>> Thanks in advance
>>>
>>> Richard
>>>
>>>
>>>
>>>
>>>
>>> On Thursday 09/11/2017 at 1:35 pm, Alan DeKok  wrote:
>>>
>>>
>>>>
>>>> On Nov 9, 2017, at 8:19 AM, Richard J Palmer <richard at merula.net> 
>>>> wrote:
>>>>
>>>>
>>>>>
>>>>>
>>>>> This is where my skills are not great (regex) most other areas I can
>>>>> work
>>>>> with. Ultimately I am happy to pay someone to help write the little 
>>>>> bit
>>>>> of
>>>>> code that does this. I do need to cope with Netmasks from  /32 to /24
>>>>> so a
>>>>> few switch cases.
>>>>>
>>>>>
>>>>                It shouldn't be difficult.
>>>>
>>>>
>>>>
>>>>>
>>>>> Alternatively if someone can provide a few pointers on that bit I can
>>>>> probably build from there.
>>>>>
>>>>>
>>>>                If you have:
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>                                Cisco-AVPair = "ip:route=1.2.3.1 
>>>>>>> 255.255.255.240"
>>>>>>>
>>>>>>>
>>>>>>                Step 1, split it into pieces:
>>>>
>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>
>>>>                This matches the "ip:route" prefix.  It then matches 
>>>> non-space
>>>> data,
>>>> then a space, and more non-space data.  As per the FR documentation, 
>>>> the
>>>> first match goes into %{1}, and the second into %{2}.
>>>>
>>>>                As there are only a limited number of net masks, you 
>>>> can expand
>>>> the net
>>>> mask, and switch over it (inside of the "if" block from above)
>>>>
>>>> switch "%{2}" {
>>>> case "255.255.255.255" {
>>>> update reply {
>>>> Framed-Route = "%{1}/32"
>>>> }
>>>> }
>>>>
>>>> case "255.255.255.254" {
>>>> update reply {
>>>> Framed-Route = "%{1}/31"
>>>> }
>>>> }
>>>>
>>>> case "255.255.255.252" {
>>>> update reply {
>>>> Framed-Route = "%{1}/30"
>>>> }
>>>> }
>>>>
>>>> ... etc...
>>>>
>>>> # and the "catch all" case, just mash it to /28
>>>> case {
>>>> update reply {
>>>> Framed-Route = "%{1}/28"
>>>> }
>>>> }
>>>> }
>>>>
>>>>                A little verbose, but it should work.
>>>>
>>>>                Alan DeKok.
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>> /users.html
>>>>
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list