Freeradius 3.0.7 regex check in module files doesn't work
Hello, we maybe found a bug in Freeradius 3.0.7. We assign V-LAN's dynamically through the module files in the section post-auth. To assign the right VLAN, various attributes are checked like the NAS-Identifier. In 3.0.4 it works without problems, but in 3.0.7 the regex check doesn't seem to work. ################################### sites-enabled/default ################################### server eap_server { listen { ipaddr = * port = 1645 type = auth limit { } } authorize { eap { ok = return } } authenticate { Auth-Type PAP { } Auth-Type CHAP { } eap Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { } } } post-auth { update request { Stripped-User-Name := "%{mschap:User-Name}" Realm := "%{mschap:NT-Domain}" } update reply { Tunnel-Type := "13" Tunnel-Medium-Type := "6" } rad-vlan.authorize update reply { Tunnel-Private-Group-Id="%{control:Tunnel-Private-Group-Id}" } Post-Auth-Type REJECT { eap } } pre-proxy { update proxy-request { proxy-request:User-Name := "%{proxy-request:MS-CHAP-User-Name}" } } post-proxy { post_proxy_log eap } } ################################### mods-enabled/files ################################### files { filename = ${confdir}/radius-station-mac usersfile = ${confdir}/radius-station-mac compat = no EAP-TLS-Require-Client-Cert = yes } files radius-station-allow { usersfile = ${confdir}/radius-station-allow key = %{Stripped-User-Name} compat = cistron } files radius-station-ids { usersfile = ${confdir}/radius-station-ids key = %{Stripped-User-Name} compat = no } files radius-station-ids-test { usersfile = ${confdir}/radius-station-ids-test key = %{Stripped-User-Name} compat = cistron } files rad-vlan { usersfile = ${confdir}/rad-vlan key = %{Calling-Station-Id} compat = cistron Fall-Through = Yes } ################################### raddb/rad-vlan ################################### 12-34-56-78-90-AB NAS-Identifier =~ "WPA-GG.*", Stripped-User-Name == "ldapsearch123", Tunnel-Private-Group-Id := "200" 12-34-56-78-90-AB NAS-Identifier =~ "WPA-GG.*", Stripped-User-Name == "ldapsearch", Tunnel-Private-Group-Id := "200" 12-34-56-78-90-AB NAS-Identifier =~ "WPA-GG.*", Tunnel-Private-Group-Id := "200" DEFAULT Tunnel-Private-Group-Id := "001" ################################### Debug 3.0.7: ################################### (14) User-Name = 'materna\ldapsearch' (14) NAS-IP-Address = 127.0.0.1 (14) Calling-Station-Id = '12-34-56-78-90-AB' (14) Framed-MTU = 1400 (14) NAS-Port-Type = Wireless-802.11 (14) Connect-Info = 'CONNECT 11Mbps 802.11b' (14) NAS-Identifier = 'WPA-GG' (14) EAP-Message = 0x020e0050190017030100206d1d4cd5d01f3a7153236662e595c5daaaa6336c78322b05cc4c9fd9bc092eaf1703010020d37b532af4b18cb31b84ba696ea369a746e9f295e4f1e32a6d9081884be47bcd (14) State = 0xbfb2fbdeb2bce21540db8fbcb8edd37b (14) Message-Authenticator = 0x23a2fd8b9b2e1ade466b27c4b28100a3 (14) session-state: No cached attributes (14) # Executing section authorize from file ./etc/radius-eap//sites-enabled/default (14) authorize { (14) eap: Peer sent code Response (2) ID 14 length 80 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = EAP (14) # Executing group from file ./etc/radius-eap//sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0xbfb2fbdeb2bce215 (14) eap: Finished EAP session with state 0xbfb2fbdeb2bce215 (14) eap: Previous EAP request found for state 0xbfb2fbdeb2bce215, released from the list (14) eap: Peer sent method PEAP (25) (14) eap: EAP PEAP (25) (14) eap: Calling eap_peap to process EAP data (14) eap_peap: processing EAP-TLS (14) eap_peap: eaptls_verify returned 7 (14) eap_peap: Done initial handshake (14) eap_peap: eaptls_process returned 7 (14) eap_peap: FR_TLS_OK (14) eap_peap: Session established. Decoding tunneled attributes (14) eap_peap: PEAP state send tlv success (14) eap_peap: Received EAP-TLV response (14) eap_peap: Success (14) eap_peap: Using saved attributes from the original Access-Accept (14) eap_peap: User-Name = 'materna\ldapsearch' (14) eap_peap: Saving session b5f76169be377c4eb841c0ec3f4cc92488683fe647ffb81eb89abb1dbe84068f vps 0x7fab2c002200 in the cache (14) eap: Freeing handler (14) [eap] = ok (14) } # authenticate = ok (14) # Executing section post-auth from file ./etc/radius-eap//sites-enabled/default (14) post-auth { (14) update request { (14) EXPAND %{mschap:User-Name} (14) --> ldapsearch (14) Stripped-User-Name := "ldapsearch" (14) EXPAND %{mschap:NT-Domain} (14) --> materna (14) Realm := "materna" (14) } # update request = noop (14) update reply { (14) Tunnel-Type := VLAN (14) Tunnel-Medium-Type := IEEE-802 (14) } # update reply = noop (14) rad-vlan: EXPAND %{Calling-Station-Id} (14) rad-vlan: --> 12-34-56-78-90-AB (14) rad-vlan: EXPAND WPA-GG.* (14) rad-vlan: --> WPA-GG.* (14) rad-vlan: EXPAND WPA-GG.* (14) rad-vlan: --> WPA-GG.* (14) rad-vlan: users: Matched entry DEFAULT at line 4 (14) [rad-vlan.authorize] = ok (14) update reply { (14) EXPAND %{control:Tunnel-Private-Group-Id} (14) --> 001 (14) Tunnel-Private-Group-Id = "001" (14) } # update reply = noop (14) } # post-auth = ok (14) Login OK: [materna\ldapsearch/<via Auth-Type = EAP>] (from client sles11 port 0 cli 12-34-56-78-90-AB) (14) Sent Access-Accept Id 14 from 139.2.35.240:1645 to 139.2.38.67:55213 length 197 (14) User-Name = 'materna\ldapsearch' (14) MS-MPPE-Recv-Key = 0x106181fbc445a0ff2341792c573ab68ef78633d6308c7171c8a5db18d52fc33f (14) MS-MPPE-Send-Key = 0x7de75e7f18cc057b55abc4f1c3e41cfebfa3e7d32ef85ba091b7b42a2fc193e5 (14) EAP-Message = 0x030e0004 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) Tunnel-Type = VLAN (14) Tunnel-Medium-Type = IEEE-802 (14) Tunnel-Private-Group-Id = '001' (14) Finished request Thread 1 waiting to be assigned a request Waking up in 0.2 seconds. Waking up in 4.3 seconds. ################################### Debug 3.0.4: ################################### Thread 1 got semaphore Thread 1 handling request 14, (3 handled so far) User-Name = 'materna\ldapsearch' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '12-34-56-78-90-AB' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' NAS-Identifier = 'WPA-GG' EAP-Message = 0x020e0050190017030100200178abd6cb94ebd3a457a0e14cebf41f0ddd572a3d7dfd5867087817f0d5966a1703010020b3483f13ae714a12e4fc5151018f0691a8555d9c76983af3fbe8cd112e63266d State = 0xfc812f3df18f362cddee265392cf2627 Message-Authenticator = 0x500747f00648ebdd6ecce7c3770fe689 (14) Received Access-Request packet from host 139.2.38.67 port 41678, id=14, length=220 (14)User-Name = 'materna\ldapsearch' (14)NAS-IP-Address = 127.0.0.1 (14)Calling-Station-Id = '12-34-56-78-90-AB' (14)Framed-MTU = 1400 (14)NAS-Port-Type = Wireless-802.11 (14)Connect-Info = 'CONNECT 11Mbps 802.11b' (14)NAS-Identifier = 'WPA-GG' (14)EAP-Message = 0x020e0050190017030100200178abd6cb94ebd3a457a0e14cebf41f0ddd572a3d7dfd5867087817f0d5966a1703010020b3483f13ae714a12e4fc5151018f0691a8555d9c76983af3fbe8cd112e63266d (14)State = 0xfc812f3df18f362cddee265392cf2627 (14)Message-Authenticator = 0x500747f00648ebdd6ecce7c3770fe689 (14) # Executing section authorize from file /etc/radiusd/sites-enabled/default (14)authorize { (14)eap : Peer sent code Response (2) ID 14 length 80 (14)eap : Continuing tunnel setup (14)[eap] = ok (14)} #authorize = ok (14) Found Auth-Type = EAP (14) # Executing group from file /etc/radiusd/sites-enabled/default (14)authenticate { (14)eap : Expiring EAP session with state 0xfc812f3df18f362c (14)eap : Finished EAP session with state 0xfc812f3df18f362c (14)eap : Previous EAP request found for state 0xfc812f3df18f362c, released from the list (14)eap : Peer sent method PEAP (25) (14)eap : EAP PEAP (25) (14)eap : Calling eap_peap to process EAP data (14)eap_peap : processing EAP-TLS (14)eap_peap : eaptls_verify returned 7 (14)eap_peap : Done initial handshake (14)eap_peap : eaptls_process returned 7 (14)eap_peap : FR_TLS_OK (14)eap_peap : Session established.Decoding tunneled attributes (14)eap_peap : Peap state send tlv success (14)eap_peap : Received EAP-TLV response (14)eap_peap : Success (14)eap_peap : Using saved attributes from the original Access-Accept User-Name = 'materna\ldapsearch' (14)eap_peap : Saving session 467ec288d1ef3786548e67dd6ddc2493765cab9d520bef51307869c3cf86776a vps 0x7facbc003e90 in the cache (14)eap : Freeing handler (14)[eap] = ok (14)} #authenticate = ok (14) Login OK: [materna\ldapsearch/<via Auth-Type = EAP>] (from client sles11 port 0 cli 12-34-56-78-90-AB) (14) # Executing section post-auth from file /etc/radiusd/sites-enabled/default (14)post-auth { (14)update request { (14) EXPAND %{mschap:User-Name} (14)--> ldapsearch (14)Stripped-User-Name := "ldapsearch" (14) EXPAND %{mschap:NT-Domain} (14)--> materna (14)Realm := "materna" (14)} # update request = noop (14)update reply { (14)Tunnel-Type := VLAN (14)Tunnel-Medium-Type := IEEE-802 (14)} # update reply = noop (14)rad-vlan : EXPAND %{Calling-Station-Id} (14)rad-vlan :--> 12-34-56-78-90-AB (14)rad-vlan : EXPAND WPA-GG.* (14)rad-vlan :--> WPA-GG.* (14)rad-vlan : EXPAND WPA-GG.* (14)rad-vlan :--> WPA-GG.* (14)rad-vlan : EXPAND WPA-GG.* (14)rad-vlan :--> WPA-GG.* (14)rad-vlan : EXPAND WPA-GG.* (14)rad-vlan :--> WPA-GG.* (14)rad-vlan : users: Matched entry 12-34-56-78-90-AB at line 2 (14)[rad-vlan.authorize] = ok (14)update reply { (14) EXPAND %{control:Tunnel-Private-Group-Id} (14)--> 200 (14) Tunnel-Private-Group-Id = "200" (14)} # update reply = noop (14)} #post-auth = ok (14) Sending Access-Accept packet to host 139.2.38.67 port 41678, id=14, length=0 (14)User-Name = 'materna\ldapsearch' (14)MS-MPPE-Recv-Key = 0x8973d3f59b6ce58227550444df27760f7bd43151d1367444e1883aa5288a99dd (14)MS-MPPE-Send-Key = 0x1cc9775a68f9ed8715f7e50510981ea04330364949c228eb58a227a27352a440 (14)EAP-MSK = 0x8973d3f59b6ce58227550444df27760f7bd43151d1367444e1883aa5288a99dd1cc9775a68f9ed8715f7e50510981ea04330364949c228eb58a227a27352a440 (14)EAP-EMSK = 0xa8fc008102830647de31e83c4091d01c4717d0785bb964ab682b87b47c00bfe17aa903f0aa969e000d1835b2623128d6b4d585184b977c884176d1e1dbc9e8ee (14)EAP-Session-Id = 0x1954f85fa7840493a4abe8ee3c005b56ba8e198835115a1fef65c4e1ade3b674ac0ed3759d36b7b6033b489b000a4a6515eb1ec3ef719d7bf589cf8b132dba8b5c (14)EAP-Message = 0x030e0004 (14)Message-Authenticator = 0x00000000000000000000000000000000 (14)Tunnel-Type = VLAN (14)Tunnel-Medium-Type = IEEE-802 (14)Tunnel-Private-Group-Id = '200' Sending Access-Accept Id 14 from 139.2.35.240:1645 to 139.2.38.67:41678 User-Name = 'materna\ldapsearch' MS-MPPE-Recv-Key = 0x8973d3f59b6ce58227550444df27760f7bd43151d1367444e1883aa5288a99dd MS-MPPE-Send-Key = 0x1cc9775a68f9ed8715f7e50510981ea04330364949c228eb58a227a27352a440 EAP-Message = 0x030e0004 Message-Authenticator = 0x00000000000000000000000000000000 Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = '200' (14) Finished request Thread 1 waiting to be assigned a request Waking up in 0.2 seconds. Waking up in 4.3 seconds. (0) Cleaning up request packet ID 0 with timestamp +2 (1) Cleaning up request packet ID 1 with timestamp +2 Kind regards. D. Stabla
Your "users" syntax is invalid. This: mac NAS-Identifier =~ "...", Tunnel-Private-Group-ID := "100" ...should be: mac NAS-Identifier =~ "..." Tunnel-Private-Group-ID := "100" Comparisons, and "set" for control items, go on the first line of a "users" file entry. Reply items go on 2nd and subsequent lines. It might be that this worked by accident in 3.0.4. It's also best IMO from a readability PoV to leave a blank line between users file entries. I would encourage you to convert this config to "unlang" which is less "magical" than users-file syntax.
participants (2)
-
Phil Mayers -
Stabla, Daniel