On Fri, Dec 15, 2017 at 12:42 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 15, 2017, at 6:29 AM, Gianni Costanzi <gianni.costanzi@gmail.com> wrote:
So I've tried to implement the code I need to replicate what I was using in older Freeradius:
if (&User-Name =~ /^(xx[e0][0-9]{3})$/ \ && NAS-IP-Address !~ /REGEXP/ \ && NAS-IP-Address !~ /REGEXP/ \ && NAS-IP-Address !~ /REGEXP/ \ [...] && NAS-IP-Address !~ /REGEXP/ \ && NAS-IP-Address !~ /REGEXP/ { update request { &User-Name := "%{User-Name}@myrealm" } }
The problem now is that there are too many conditions and radius server does not start:
As I suggested earlier... see "man rlm_passwd". You can create local groups for the NASes.
i.e. instead of listing masses of regular expressions, just create a simple flat file with (a) the IP of the NAS, and (b) the group it should belong to. You can create a local "NAS-Group" attribute. See the rlm_passwd documentation for examples.
Then in the "authorize" section, do:
if ((User-Name =~ /regex/) && (NAS-Group == "foo")) { ... }
If I reduce the number of "&& NAS-IP-Address" rows it works.
Using groups is simpler than large numbers of if / then / else conditions.
Alan DeKok.
Thank you very much, I think I've understood now the whole picture, I should be able to implement what I need with the passwd module (it seems to work, looking at the first tests I've done). I still don't understand when I should use &User-Name and when User-Name, since both seem to work, but I need to read the manuals with more attention (Always being in a hurry doesn't help).
Have a nice weekend Gianni