Phil Mayers wrote:
Geoff Silver wrote:
# Cisco NAS doing username/password authentication, proxied to another bob Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm:=UAS Connect-Info="OFFICE_ACCESS"
I take it these are PAP requests?
Yep
If not, it can't be done.
If so, this works for me:
user User-Password=~".*/.*", Some-Stuff := whatever
Cool. So is there an easy way to combine that with the dynamic hint I'm already creating, since I'm already applying a hint? If I change my hint to: DEFAULT User-Name =~ "^(.*)$", User-Password =~ ".*/.*" Hint = "Port-%{request:Packet-Dst-Port}" Then connections which use Port-1812 also require a / in the password (which will never appear, because when doing SSL authentication, the password is always the username). I tried to "chain" the hints, but that doesn't appear to work. For instance, DEFAULT User-Name =~ "^(.*)$" Hint = "Port-%{request:Packet-Dst-Port}" DEFAULT Hint = "Port-1645", User-Password =~ ".*/.*" Hint = "HasSlash" Appears to match the first hint, but not the second one (radius_xlat prints 'Port-1645' when running radiusd in debug mode, but the users file tries to match Hint==Port-1645, not Hint==HasSlash - all of which I actually expected to happen). I can kind of make it work by doing the following: DEFAULT User-Password =~ ".*/.*" Hint = "HasSlash" DEFAULT User-Name =~ "^(.*)$" Hint = "Port-%{request:Packet-Dst-Port}" and then *assuming* if the password has a / it must have also come in on UDP port 1645 as well, and if not then let the second rule apply, but that answer feels very unclean to me. All of this would be far easier if I could use the %{request:} macros on the LHS of a hint, of course. -- Geoff Silver http://www.bullrunmountain.org/