Custom, conditional, variable in linelog

Giuseppe Civitella gcivitella at enter.eu
Mon Feb 19 18:29:38 CET 2018


So I updated my post-auth block and logged what I needed.

Now I have:

post-auth {
        update {
                &reply: += &session-state:
        }
        reply_log
        exec
        if
("%{ldap:ldap://127.0.0.1/ou=users,o=isiline,dc=who,dc=is?objectClass?one?(&(dialupAccess=yes)(o=cpe_mpls_15)(cn=%{User-Name}))}")
{
                update reply {
                        &Reply-Message  += 'ti sei loggato su un CPE
MPLS con livello 15'
                        &Cisco-AVPair   += 'shell:priv-lvl=15'
                        &Filter-Id      := 'cpe_mpls_15'
                }
        }

And I log the Filter-Id value this way:

linelog log_dyn_clients {
        filename = ${logdir}/linelog-client-auth-%Y%m%d.log
        permissions = 0600
        reference = "messages.%{%{reply:Packet-Type}:-default}"
        messages {
                default = "[Unknown] unknown packet type %{Packet-Type}"
                Access-Accept = "%{date:Event-Timestamp} [Accept] user:
%{User-Name}, client_ip: %{Packet-Src-IP-Address}, virtual_server:
%{Virtual-Server}, filter: %{reply:Filter-Id}"
                Access-Reject = "%{date:Event-Timestamp} [Reject] user:
%{User-Name}, client_ip: %{Packet-Src-IP-Address}, virtual_server:
%{Virtual-Server}, filter: %{reply:Filter-Id}"
        }


Best ragards,
Giuseppe



Il 16/02/2018 16:37, Giuseppe Civitella ha scritto:
> Hi all,
>
> I use a few virtual servers to define users access to CISCO devices
> against their LDAP profile.
>
> In every virtual server I've got:
>
> post-auth {
>         update {
>                 &reply: += &session-state:
>         }
>         reply_log
>         exec
>         if
> ("%{ldap:ldap://127.0.0.1/USER_DN?objectClass?one?(&(dialupAccess=yes)(o=cpe_mpls_15)(cn=%{User-Name}))}")
> {
>                 update reply {
>                         &Reply-Message  += 'Custom message'
>                         &Cisco-AVPair   += 'shell:priv-lvl=15'
>                         My-Ldap-filter := cpe_mpls_15
>                 }
>         }
>         log_dyn_clients
>
> In my local dictionary I defined:
>
> ATTRIBUTE       My-Ldap-filter          5000    string
>
>
> I'd like to assign a value to My-Ldap-filter in every if block and
> record the value in a log file.
>
> So i defined log_dyn_clients this way:
>
> linelog log_dyn_clients {
>         filename = ${logdir}/linelog-client-auth-%Y%m%d.log
>         permissions = 0600
>         reference = "messages.%{%{reply:Packet-Type}:-default}"
>         messages {
>                 default = "[Unknown] unknown packet type %{Packet-Type}"
>                 Access-Accept = "[Accept] user: %{User-Name}, client_ip:
> %{Packet-Src-IP-Address}, virtual_server: %{Virtual-Server}, attr:
> %{My-Ldap-filter}"
>                 Access-Reject = "[Reject] user: %{User-Name}, client_ip:
> %{Packet-Src-IP-Address}, virtual_server: %{Virtual-Server}, attr:
> %{My-Ldap-filter}"
>         }
> }
>
> Unfortunately I'm not able to get My-Ldap-filter's value in the logs:
>
> [Accept] user: gcivitella, client_ip: 10.200.20.79, virtual_server:
> cpe_mpls_srv, attr:
> [Accept] user: gcivitella, client_ip: 10.200.20.79, virtual_server:
> cpe_mpls_srv, attr:
>
> How could I get the logs I need? Any idea?
>
> Thanks a lot,
>
> Giuseppe
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> --
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
> Seguire il link qui sotto per segnalarlo come spam: 
> http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D971F41743.A8275
>
>



More information about the Freeradius-Users mailing list