I can’t figure out how to get modules to return with the codes I want them too.  I have (what I believe to be) a very simple policy for checking if a request looks like a MAC authentication request.  I would like the policy module return to be able to indicate if the request looks like it’s MAC authentication or not.

 

I have a policy defined in policy.conf as follows:

 

check.mac_authentication {

                                if ( (Calling-Station-Id) && (User-Name) ) {

                                                                if ( "%{User-Name}" =~ /^%{config:policy.mac-addr}$/i ) {

                                                                                                update request {

                                                                                                                                Tmp-String-0 := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"

                                                                                                }

                                                                }

                                                                if ( "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i ) {

                                                                                                update request {

                                                                                                                                Tmp-String-1 := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"

                                                                                                }

                                                                }

                                }

                                if ( (Tmp-String-0) && (Tmp-String-1) &&  "%{Tmp-String-0}" == "%{Tmp-String-1}" ) {

                                                                ok

                                }

                                else {

                                                                noop

                                }

}

 

The goal is to return “ok” if both attributes exist, look like mac addresses, and have the same value (after being normalized to lower-case and having delimiters removed).  Otherwise, it should return “noop”.

 

What is happening instead:

 

+++- entering policy check.mac_authentication {...}

++++? if ((Calling-Station-Id) && (User-Name) )

?? Evaluating (Calling-Station-Id) -> TRUE

?? Evaluating (User-Name) -> TRUE

++++? if ((Calling-Station-Id) && (User-Name) ) -> TRUE

++++- entering if ((Calling-Station-Id) && (User-Name) ) {...}

+++++? if ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i )

        expand: %{User-Name} -> 11bbccddeeff

        expand: policy.mac-addr -> policy.mac-addr

        expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$

? Evaluating ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE

+++++? if ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i ) -> TRUE

+++++- entering if ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i ) {...}

        expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 11bbccddeeff

        expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> 11bbccddeeff

++++++[request] returns ok

+++++- if ("%{User-Name}" =~ /^%{config:policy.mac-addr}$/i ) returns ok

+++++? if ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i )

        expand: %{Calling-Station-Id} -> AA-BB-CC-DD-EE-FF

        expand: policy.mac-addr -> policy.mac-addr

        expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$

? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE

+++++? if ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i ) -> TRUE

+++++- entering if ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i ) {...}

        expand: %{1}%{2}%{3}%{4}%{5}%{6} -> AABBCCDDEEFF

        expand: %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} -> aabbccddeeff

++++++[request] returns ok

+++++- if ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i ) returns ok

++++- if ((Calling-Station-Id) && (User-Name) ) returns ok

++++? if ((Tmp-String-0) && (Tmp-String-1) &&  "%{Tmp-String-0}" == "%{Tmp-String-1}" )

?? Evaluating (Tmp-String-0) -> TRUE

?? Evaluating (Tmp-String-1) -> TRUE

        expand: %{Tmp-String-0} -> 11bbccddeeff

        expand: %{Tmp-String-1} -> aabbccddeeff

? Evaluating ("%{Tmp-String-0}" == "%{Tmp-String-1}" ) -> FALSE

++++? if ((Tmp-String-0) && (Tmp-String-1) &&  "%{Tmp-String-0}" == "%{Tmp-String-1}" ) -> FALSE

++++- entering else else {...}

+++++[noop] returns noop

++++- else else returns noop

+++- policy check.mac_authentication returns ok

 

 

When execution enters the final “else” with the noop, why does the module still return “ok” ?

 

Any help will be greatly appreciated….

 

-Travis