Question on Unlang
Hi i request your help for know if it's possible in unlang Actually, in policy.d/my.conf i have: if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (User-Name !~ /network\\.local/) && (User-Name !~ /admin\\.local/) && (User-Name !~ /wifi\\.local/) && ("%{Packet-Src-IP-Address}" == "192.168.20.1")) { update reply { <...> } } elsif ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (User-Name !~ /network\\.local/) && (User-Name !~ /admin\\.local/) && (User-Name !~ /wifi\\.local/) && ("%{Packet-Src-IP-Address}" == "192.168.50.1")) { update reply { <...> } } i put only 3 in my sample of !~ (network,admin and wifi), but i have ~40 and i have ~30 of "elsif" it's a long file ;) i want know if it's possible in unlang to create a list: SubRealm_Exclude { network.local admin.local wifi.local } and after put in if condition : if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (User-Name !~ SubRealm_Exclude) && ("%{Packet-Src-IP-Address}" == "192.168.20.1")) { update reply { <...> } } elsif ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (User-Name !~ SubRealm_Exclude) && ("%{Packet-Src-IP-Address}" == "192.168.50.1")) { update reply { <...> } } Thanks for your help regards
On 25/03/2017 06:07, Olivier CALVANO wrote:
SubRealm_Exclude { network.local admin.local wifi.local }
and after put in if condition :
if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (User-Name !~ SubRealm_Exclude) && ("%{Packet-Src-IP-Address}" == "192.168.20.1")) { update reply { <...> } }
Regular expressions are your friend: if (Tunnel-Server-Endpoint:0[0] != '172.16.1.1' && User-Name =~ /\\.local$/ && User-Name !~ /(network|admin|wifi)\\.local$/i) && ... A couple of notes: - add '$' to match at the end of string only, otherwise a username like foo.local@bar.com would match - add /i flag to do case-insensitive match; otherwise foo@network.local would be blocked but foo@Network.local would be permitted. And if you're using freeradius 3.x then it's better to use the newer attribute reference syntax (&) instead of string expansion: if (&Tunnel-Server-Endpoint:0[0] != 172.16.1.1 && &User-Name =~ /\\.local$/ && &User-Name !~ /(network|admin|wifi)\\.local$/i) && ... This means the IP address is compared as an IP address, not as a string of characters. HTH, Brian.
Thanks brian for your answer ;=) but for me not a big difference between my actual config and regular expressions. all line ar very very long he don't have other solution ? 2017-03-25 12:25 GMT+01:00 Brian Candler <b.candler@pobox.com>:
On 25/03/2017 06:07, Olivier CALVANO wrote:
SubRealm_Exclude { network.local admin.local wifi.local }
and after put in if condition :
if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (User-Name !~ SubRealm_Exclude) && ("%{Packet-Src-IP-Address}" == "192.168.20.1")) { update reply { <...> } }
Regular expressions are your friend:
if (Tunnel-Server-Endpoint:0[0] != '172.16.1.1' && User-Name =~ /\\.local$/ && User-Name !~ /(network|admin|wifi)\\.local$/i) && ...
A couple of notes:
- add '$' to match at the end of string only, otherwise a username like foo.local@bar.com would match
- add /i flag to do case-insensitive match; otherwise foo@network.local would be blocked but foo@Network.local would be permitted.
And if you're using freeradius 3.x then it's better to use the newer attribute reference syntax (&) instead of string expansion:
if (&Tunnel-Server-Endpoint:0[0] != 172.16.1.1 && &User-Name =~ /\\.local$/ && &User-Name !~ /(network|admin|wifi)\\.local$/i) && ...
This means the IP address is compared as an IP address, not as a string of characters.
HTH,
Brian.
On 25/03/2017 11:54, Olivier CALVANO wrote:
but for me not a big difference between my actual config and regular expressions. all line ar very very long
If you're only excluding three domains it seems a good enough solution to me. If you want something "data driven" then you can look at the files module: files subrealm { key = "%{Realm}" filename = ${moddir}/subrealm } # subrealm file network.local Tmp-String-0 := "Excluded" admin.local Tmp-String-0 := "Excluded" wifi.local Tmp-String-0 := "Excluded" then check control:Tmp-String-0 in your policy. However that doesn't do *exactly* what your current config does, because your current config would match sub-subdomains like user@foo.network.local, and the above doesn't.
Hi Brian, thanks, i think's that files modules is the solution because we have actually 40 domains and in may we add 150 new domain without sub-subdomains a question because i have tested but that's don't work. i have: added in /etc/raddb/modules/subrealm: files subrealm { key = "%{Realm}" filename = ${confdir}/Liste-des-Sous-Realm } in /etc/raddb/Liste-des-Sous-Realm, i have: network.local Tmp-String-0 := "Excluded" admin.local Tmp-String-0 := "Excluded" wifi.local Tmp-String-0 := "Excluded" in my /etc/raddb/policy.d/my.conf: if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.20.1")) { update reply { <...> } } elsif ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.50.1")) { update reply { <...> } } and when i am connect with @network.local, all time i have: ?? Evaluating (&control:Tmp-String-0 != "Excluded") -> TRUE tested too: if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && ("%{control:Tmp-String-0}" != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.20.1")) { same result Last test: i have added "subrealm" /etc/raddb/sites-available/default in post-auth { but no change I did not do everything right? i don't know how i can see the value of "Tmp-String-0", they have a equivalent of "print Tmp-String-0" for see in logs ? includ: thanks 2017-03-25 18:36 GMT+01:00 Brian Candler <b.candler@pobox.com>:
On 25/03/2017 11:54, Olivier CALVANO wrote:
but for me not a big difference between my actual config and regular expressions. all line ar very very long
If you're only excluding three domains it seems a good enough solution to me.
If you want something "data driven" then you can look at the files module:
files subrealm { key = "%{Realm}" filename = ${moddir}/subrealm }
# subrealm file network.local Tmp-String-0 := "Excluded" admin.local Tmp-String-0 := "Excluded" wifi.local Tmp-String-0 := "Excluded"
then check control:Tmp-String-0 in your policy. However that doesn't do *exactly* what your current config does, because your current config would match sub-subdomains like user@foo.network.local, and the above doesn't.
On 29/03/2017 15:29, Olivier CALVANO wrote:
thanks, i think's that files modules is the solution because we have actually 40 domains and in may we add 150 new domain without sub-subdomains
a question because i have tested but that's don't work. i have:
added in /etc/raddb/modules/subrealm:
files subrealm { key = "%{Realm}" filename = ${confdir}/Liste-des-Sous-Realm }
in /etc/raddb/Liste-des-Sous-Realm, i have: network.local Tmp-String-0 := "Excluded" admin.local Tmp-String-0 := "Excluded" wifi.local Tmp-String-0 := "Excluded"
in my /etc/raddb/policy.d/my.conf:
if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.20.1")) { update reply { <...> } } elsif ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.50.1")) { update reply { <...> } }
and when i am connect with @network.local, all time i have: ?? Evaluating (&control:Tmp-String-0 != "Excluded") -> TRUE
You need to invoke the 'subrealm' module somewhere in your authorize {} section. Then your freeradius -X output should show it being invoked, and whether it found the realm in there. Regards, Brian.
Hi ok i have added into sites-available/default in section authorize 'subrealm' but no change. the module is loaded, i see in -X logs: Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating module "subrealm" from file /etc/raddb/modules/subrealm files subrealm { compat = "cistron" key = "%{Realm}" } +++? elsif ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (User-Name !~ /admin\\.local/) && (&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.50.100")) ?? Evaluating (Tunnel-Server-Endpoint:0[0] != '172.16.1.1') -> TRUE ?? Evaluating (User-Name =~ /\\.local/) -> TRUE ?? Evaluating (User-Name !~ /admin\\.local/) -> TRUE ?? Evaluating (&control:Tmp-String-0 != "Excluded") -> TRUE expand: %{Packet-Src-IP-Address} -> 192.168.50.100 ?? Evaluating ("%{Packet-Src-IP-Address}" == "192.168.50.100") -> TRUE +++? elsif ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.50.100")) -> TRUE i see: ?? Evaluating (&control:Tmp-String-0 != "Excluded") -> TRUE but domain @network.local is specified in network.local Tmp-String-0 := "Excluded" rzgards 2017-03-29 17:13 GMT+02:00 Brian Candler <b.candler@pobox.com>:
On 29/03/2017 15:29, Olivier CALVANO wrote:
thanks, i think's that files modules is the solution because we have actually 40 domains and in may we add 150 new domain without sub-subdomains
a question because i have tested but that's don't work. i have:
added in /etc/raddb/modules/subrealm:
files subrealm { key = "%{Realm}" filename = ${confdir}/Liste-des-Sous-Realm }
in /etc/raddb/Liste-des-Sous-Realm, i have: network.local Tmp-String-0 := "Excluded" admin.local Tmp-String-0 := "Excluded" wifi.local Tmp-String-0 := "Excluded"
in my /etc/raddb/policy.d/my.conf:
if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~ /\\.local/) && (&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.20.1")) { update reply { <...> } } elsif ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" == "192.168.50.1")) { update reply { <...> } }
and when i am connect with @network.local, all time i have: ?? Evaluating (&control:Tmp-String-0 != "Excluded") -> TRUE
You need to invoke the 'subrealm' module somewhere in your authorize {} section. Then your freeradius -X output should show it being invoked, and whether it found the realm in there.
Regards,
Brian.
On 29/03/2017 16:43, Olivier CALVANO wrote:
ok i have added into sites-available/default in section authorize 'subrealm' but no change.
the module is loaded, i see in -X logs:
Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating module "subrealm" from file /etc/raddb/modules/subrealm files subrealm { compat = "cistron" key = "%{Realm}" }
You missed the bit where it actually invokes the subrealm module when processing the packet. e.g. authorize { ... users # or ldap or mysql or whatever subrealm ... } This should then show in freeradius -X output as part of the processing: looking up the key, finding a matching entry.
Hi No change, that's don't work. How can I display the value of Tmp-String-0 in logs? regards Olivier 2017-03-29 18:04 GMT+02:00 Brian Candler <b.candler@pobox.com>:
On 29/03/2017 16:43, Olivier CALVANO wrote:
ok i have added into sites-available/default in section authorize 'subrealm' but no change.
the module is loaded, i see in -X logs:
Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating module "subrealm" from file /etc/raddb/modules/subrealm files subrealm { compat = "cistron" key = "%{Realm}" }
You missed the bit where it actually invokes the subrealm module when processing the packet.
e.g.
authorize {
...
users # or ldap or mysql or whatever
subrealm
...
}
This should then show in freeradius -X output as part of the processing: looking up the key, finding a matching entry.
On 01/04/2017 05:02, Olivier CALVANO wrote:
No change, that's don't work.
How can I display the value of Tmp-String-0 in logs?
Show your freeradius -X to see where your subrealm module is being invoked at the time of processing the query (i.e. in the authorize section) To debug a variable I usually use update { Tmp-String-9 := "%{....expression....}" } but I expect there's a better way...
On Sat, Apr 01, 2017 at 09:36:40AM +0100, Brian Candler wrote:
To debug a variable I usually use ... but I expect there's a better way...
You can debug_all or versions of it - see raddb/policy.d/debug. But they do a similar thing. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi he load it: including configuration file /etc/raddb/modules/subrealm Module: Linked to module rlm_files Module: Instantiating module "subrealm" from file /etc/raddb/modules/subrealm files subrealm { compat = "cistron" key = "%{Realm}" } and after, at each access-request: rad_recv: Access-Request packet from host 172.16.1.1 port 51414, id=86, length=211 Proxy-State = 0x5b10bf10 User-Name = "marcy@network.local" CHAP-Password = 0x0162b20e59a93138e04d1e5e0a2cde4914 CHAP-Challenge = 0xd0a340b8d4f91cb2bdf855403e0f27bb NAS-Identifier = "LOC4156D" NAS-IP-Address = 192.168.1.1 NAS-Port = 2533641022 NAS-Port-Type = ADSL-DMT Calling-Station-Id = "atm!16/22:8.35" Acct-Session-Id = "FF16033A68044B3E-58E08F2A" Called-Station-Id = "DSL_MAX2" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { [subrealm] expand: %{Realm} -> ++[subrealm] = noop regards Olivier 2017-04-01 10:36 GMT+02:00 Brian Candler <b.candler@pobox.com>:
On 01/04/2017 05:02, Olivier CALVANO wrote:
No change, that's don't work.
How can I display the value of Tmp-String-0 in logs?
Show your freeradius -X to see where your subrealm module is being invoked at the time of processing the query (i.e. in the authorize section)
To debug a variable I usually use
update {
Tmp-String-9 := "%{....expression....}"
}
but I expect there's a better way...
You'll need to have "suffix" called first to create the Realm VSA. On 2/04/2017 17:48, "Olivier CALVANO" <o.calvano@gmail.com> wrote:
Hi
he load it:
including configuration file /etc/raddb/modules/subrealm
Module: Linked to module rlm_files Module: Instantiating module "subrealm" from file /etc/raddb/modules/subrealm files subrealm { compat = "cistron" key = "%{Realm}" }
and after, at each access-request:
rad_recv: Access-Request packet from host 172.16.1.1 port 51414, id=86, length=211 Proxy-State = 0x5b10bf10 User-Name = "marcy@network.local" CHAP-Password = 0x0162b20e59a93138e04d1e5e0a2cde4914 CHAP-Challenge = 0xd0a340b8d4f91cb2bdf855403e0f27bb NAS-Identifier = "LOC4156D" NAS-IP-Address = 192.168.1.1 NAS-Port = 2533641022 NAS-Port-Type = ADSL-DMT Calling-Station-Id = "atm!16/22:8.35" Acct-Session-Id = "FF16033A68044B3E-58E08F2A" Called-Station-Id = "DSL_MAX2" # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { [subrealm] expand: %{Realm} -> ++[subrealm] = noop
regards Olivier
2017-04-01 10:36 GMT+02:00 Brian Candler <b.candler@pobox.com>:
On 01/04/2017 05:02, Olivier CALVANO wrote:
No change, that's don't work.
How can I display the value of Tmp-String-0 in logs?
Show your freeradius -X to see where your subrealm module is being invoked at the time of processing the query (i.e. in the authorize section)
To debug a variable I usually use
update {
Tmp-String-9 := "%{....expression....}"
}
but I expect there's a better way...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Ok, i put suffix before subrealm and:
[suffix] Looking up realm "network.local" for User-Name = "
marcy@network.local"
[suffix] No such realm "network.local"
++[suffix] = noop
[subrealm] expand: %{Realm} ->
++[subrealm] = noop
It did not succeed to extract the realm no ?
2017-04-02 8:23 GMT+02:00 Peter Lambrechtsen <peter@crypt.nz>:
> You'll need to have "suffix" called first to create the Realm VSA.
>
> On 2/04/2017 17:48, "Olivier CALVANO" <o.calvano@gmail.com> wrote:
>
> > Hi
> >
> > he load it:
> >
> > including configuration file /etc/raddb/modules/subrealm
> >
> > Module: Linked to module rlm_files
> > Module: Instantiating module "subrealm" from file
> > /etc/raddb/modules/subrealm
> > files subrealm {
> > compat = "cistron"
> > key = "%{Realm}"
> > }
> >
> > and after, at each access-request:
> >
> > rad_recv: Access-Request packet from host 172.16.1.1 port 51414, id=86,
> > length=211
> > Proxy-State = 0x5b10bf10
> > User-Name = "marcy@network.local"
> > CHAP-Password = 0x0162b20e59a93138e04d1e5e0a2cde4914
> > CHAP-Challenge = 0xd0a340b8d4f91cb2bdf855403e0f27bb
> > NAS-Identifier = "LOC4156D"
> > NAS-IP-Address = 192.168.1.1
> > NAS-Port = 2533641022
> > NAS-Port-Type = ADSL-DMT
> > Calling-Station-Id = "atm!16/22:8.35"
> > Acct-Session-Id = "FF16033A68044B3E-58E08F2A"
> > Called-Station-Id = "DSL_MAX2"
> > # Executing section authorize from file /etc/raddb/sites-enabled/default
> > +group authorize {
> > [subrealm] expand: %{Realm} ->
> > ++[subrealm] = noop
> >
> >
> > regards
> > Olivier
> >
> > 2017-04-01 10:36 GMT+02:00 Brian Candler <b.candler@pobox.com>:
> >
> > > On 01/04/2017 05:02, Olivier CALVANO wrote:
> > >
> > >
> > > No change, that's don't work.
> > >
> > > How can I display the value of Tmp-String-0 in logs?
> > >
> > > Show your freeradius -X to see where your subrealm module is being
> > invoked
> > > at the time of processing the query (i.e. in the authorize section)
> > >
> > > To debug a variable I usually use
> > >
> > > update {
> > >
> > > Tmp-String-9 := "%{....expression....}"
> > >
> > > }
> > >
> > > but I expect there's a better way...
> > >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
On 02/04/2017 08:23, Olivier CALVANO wrote:
Ok, i put suffix before subrealm and:
[suffix] Looking up realm "network.local" for User-Name = " marcy@network.local" [suffix] No such realm "network.local" ++[suffix] = noop [subrealm] expand: %{Realm} -> ++[subrealm] = noop
It did not succeed to extract the realm no ?
Yeah, it's not quite as simple as that. http://freeradius.org/radiusd/man/rlm_realm.html It doesn't just split the user name into user name and realm; it also has to find the realm in proxy.conf before it will accept it. This is probably not what you want if all you want to do is split the username, and are not interested in proxying. Maybe you'd be better off splitting it with a regexp. Something like: if (&User-Name =~ /^(.+)@(.+)$/) { update request { &Realm := "%{2}" subrealm } else { reject } }
participants (4)
-
Brian Candler -
Matthew Newton -
Olivier CALVANO -
Peter Lambrechtsen