On 2 Sep 2011, at 16:25, Olivier Beytrison wrote:
Thanks Arran for those answers,
No your check will not iterate over every instance of a value.
In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl.
hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or i'll simply fall back to rlm_perl. But not on a friday evening, it will wait till monday!
Tentative yes :) It'll only get truly production ready if people test it and report the bugs. But yes, it's good enough to build configs on, and good enough to test. If you do a git-clone then you can establish basic version control with something like: #!/bin/bash cd /usr/local/src/freeradius git pull make clean hash=`git log -n 1 --pretty=format:%h` ./configure --prefix="/usr/local/freeradius-$hash" --enable-developer make make install rm /usr/local/freeradius ln -s "/usr/local/freeradius-$hash" /usr/local/freeradius Once you find a commit that does all you want, stick with it until there's an official 3.x release and then upgrade. For certain fixes you'll be able to use git cherry-pick to pull in individual commits. -Arran
-Arran
On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
Hello,
I'm trying since two week to do some multi-valued attribute checking on my radius infrastructure.
I've been looking to checkval, using the "users" file and such but with no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control list, and based on its content, I set the correct Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works perfectly since 90% of the people only have one attribute. But some people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) { $INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { update reply { Airespace-Interface-Name := "wifi_eia-etu" } } elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { update reply { Airespace-Interface-Name := "wifi_eia-col" } } elsif { } [ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm "hefr.ch" for User-Name = "didier.perroud@hefr.ch" [suffix] Found realm "hefr.ch" [suffix] Adding Realm = "hefr.ch" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] expand: %t -> Fri Sep 2 15:45:08 2011 ++[auth_log] returns ok [linelog] expand: %{Packet-Type} -> Access-Request [linelog] expand: %{%{Packet-Type}:-format} -> Access-Request [linelog] expand: /var/log/freeradius/linelog -> /var/log/freeradius/linelog [linelog] expand: Requested access: %{User-Name} -> Requested access: didier.perroud@hefr.ch ++[linelog] returns ok ++? if (User-Name =~ /(.*)@.*hefr.ch$/) ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE ++? if (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} expand: %{1} -> didier.perroud +++[request] returns ok ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok ++[files] returns noop [ldap] performing user authorization for didier.perroud [ldap] expand: (uid=%{Stripped-User-Name}) -> (uid=didier.perroud) [ldap] expand: ou=courant,ou=people,o=hefr -> ou=courant,ou=people,o=hefr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=courant,ou=people,o=hefr, with filter (uid=didier.perroud) [ldap] Added the eDirectory password ******* in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RORG-HEFR-EIFR-TICO-TLCO-$-RSM" [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RORG-MASO-$-RCA" [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RACA-TICO-MSEI-MTIC-$-RCA" [ldap] looking for reply items in directory... [ldap] hessoRoleMemberKey -> Class = 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d [ldap] hessoRoleMemberKey -> Class = 0x524f52472d4d41534f2d242d524341 [ldap] hessoRoleMemberKey -> Class = 0x524143412d5449434f2d4d5345492d4d5449432d242d524341 [ldap] user didier.perroud authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...} +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/) -> FALSE +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) -> FALSE +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) -> FALSE +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) -> FALSE +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) -> TRUE +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) -> TRUE +++- entering elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {...}
We can see that it didn't match control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ while it has the correct value in the control list.
How can I match this multi-valued attribute ?
Regards, Olivier B.
--
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell a.cudbardb@freeradius.org
RADIUS - Half the complexity of Diameter
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter