Semantics of !~ operator
Hi! I don't quite understand the semantics of !~. So far I though it would be the negated result of =~, i.e. if (a =~ b) is true (a !~ b) is false and v.v. But that doesn't seem to be the case. If I add this in the beginning of the users file (extract starting at line no. 6) DEFAULT Reply-Message += "Realm is %{Realm}", Fall-Through = Yes DEFAULT Realm =~ example.com|NULL Reply-Message += "Internal User", Fall-Through = Yes DEFAULT Realm !~ example.com|NULL Reply-Message += "External User", Fall-Through = Yes it works correctly for a user name test or test@example.com: (106) files : users: Matched entry DEFAULT at line 6 (106) files : EXPAND Realm is %{Realm} (106) files : --> Realm is example.com (106) files : users: Matched entry DEFAULT at line 10 ... (106) Reply: Reply-Message = 'Realm is example.com' Reply-Message = 'Internal User' (140) files : users: Matched entry DEFAULT at line 6 (140) files : EXPAND Realm is %{Realm} (140) files : --> Realm is NULL (140) files : users: Matched entry DEFAULT at line 10 ... Reply-Message = 'Realm is NULL' Reply-Message = 'Internal User' But it never gets the !~ (line 47 is a later rule in the users file): (191) files : users: Matched entry DEFAULT at line 6 (191) files : EXPAND Realm is %{Realm} (191) files : --> Realm is DEFAULT (191) files : users: Matched entry DEFAULT at line 47 ... So it seems the !~ never matches. That is kind of unexpected and doesn't make sense to me. Is that a bug or am I missing something? Thanks, Gerald
On Apr 24, 2015, at 1:14 AM, Gerald Vogt <vogt@spamcop.net> wrote:
I don't quite understand the semantics of !~. So far I though it would be the negated result of =~, i.e. if (a =~ b) is true (a !~ b) is false and v.v.
It's supposed to be. If this is for version 2, we should take a look at fixing it. If it's for v3, regexes no longer work in the "users" file. Alan DeKok.
On 24.04.15 13:58, Alan DeKok wrote:
On Apr 24, 2015, at 1:14 AM, Gerald Vogt <vogt@spamcop.net> wrote:
I don't quite understand the semantics of !~. So far I though it would be the negated result of =~, i.e. if (a =~ b) is true (a !~ b) is false and v.v.
It's supposed to be. If this is for version 2, we should take a look at fixing it.
If it's for v3, regexes no longer work in the "users" file.
Interesting. I am using FreeRADIUS 3.0.4 on CentOS 7 and it's still in the manual page. Should there be an error message if it doesn't work? And why is it working with =~ then? I am using regexes a lot in my users file. What would be the indented way to do the same without regexes? I currently use regexes to check the realm if it is my own "Realm =~ example.com|NULL" and also to check for the SSID to which a user connects to on my wifi: e.g., "Called-Station-Id =~ "[-A-Fa-f0-9]+:eduroam$" as the controller puts the MAC address of the access point before the SSID. So how do I check that instead now without regexes in the users file? Thanks, Gerald
On Apr 24, 2015, at 8:20 AM, Gerald Vogt <vogt@spamcop.net> wrote:
Interesting. I am using FreeRADIUS 3.0.4 on CentOS 7 and it's still in the manual page. Should there be an error message if it doesn't work? And why is it working with =~ then?
Accident. It's been removed in later releases.
I am using regexes a lot in my users file. What would be the indented way to do the same without regexes? I currently use regexes to check the realm if it is my own "Realm =~ example.com|NULL" and also to check for the SSID to which a user connects to on my wifi: e.g., "Called-Station-Id =~ "[-A-Fa-f0-9]+:eduroam$" as the controller puts the MAC address of the access point before the SSID.
So how do I check that instead now without regexes in the users file?
$ man unlang The "users" file contains *simple* policies. Unlang can do policies of any complexity. Alan DeKok.
On 24.04.15 14:45, Alan DeKok wrote:
On Apr 24, 2015, at 8:20 AM, Gerald Vogt <vogt@spamcop.net> wrote:
I am using regexes a lot in my users file. What would be the indented way to do the same without regexes? I currently use regexes to check the realm if it is my own "Realm =~ example.com|NULL" and also to check for the SSID to which a user connects to on my wifi: e.g., "Called-Station-Id =~ "[-A-Fa-f0-9]+:eduroam$" as the controller puts the MAC address of the access point before the SSID.
So how do I check that instead now without regexes in the users file?
$ man unlang
The "users" file contains *simple* policies. Unlang can do policies of any complexity.
I know that. I just would like to have an experts opinion on what the best approach would be.
From the top of my head I could think of either rewriting the whole users file in unlang and put everything into the authorize sections of the default and inner-tunnel and wherever else "files" was referenced. That, however, seems like the overkill.
So, it would seem more reasonable to keep the users file and instead extract the SSID from the Called-Station-Id and create a "local variable" which holds the SSID and also a flag whether the realm is "local" (i.e. my domain or none aka NULL). However, if I understand the unlang man page correctly, there is nothing like a "local variable" but only attributes defined in dictionaries and either "abusing" an existing attribute or defining my own attribute seems rather odd to me. Thus, conceptionally: what would be the best approach to get those policies working again the way they worked in v2? Thanks, Gerald
On Apr 24, 2015, at 9:33 AM, Gerald Vogt <vogt@spamcop.net> wrote:
I know that. I just would like to have an experts opinion on what the best approach would be.
It's best to keep changes simple/
From the top of my head I could think of either rewriting the whole users file in unlang and put everything into the authorize sections of the default and inner-tunnel and wherever else "files" was referenced. That, however, seems like the overkill.
Maybe. It's largely up to you.
So, it would seem more reasonable to keep the users file and instead extract the SSID from the Called-Station-Id and create a "local variable" which holds the SSID and also a flag whether the realm is "local" (i.e. my domain or none aka NULL). However, if I understand the unlang man page correctly, there is nothing like a "local variable" but only attributes defined in dictionaries and either "abusing" an existing attribute or defining my own attribute seems rather odd to me.
The "local attribute" is intended for this exact purpose. To create policies which are applicable to you, and no one else.
Thus, conceptionally: what would be the best approach to get those policies working again the way they worked in v2?
Do the complex things in unlang, and the simple things in the "users" file. Alan DeKok.
Thus, conception ally: what would be the best approach to get those policies working again the way they worked in v2?
Just to follow up on what Alan says, you don't have to shove a bunch of unlang into the section either. I'm sure you know about policy.d :-) With Regards Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Thanks for the tips. So here is what I have done now to get rid of those regexes in the users file: 1. added local/private attributes to hold the information I need in /etc/raddb/dictionary ATTRIBUTE Local-SSID 3000 string 2. added a file policy.d/ssid to extract the SSID from the Called-Station-Id attribute as sent by my controller: ssid { if ( Called-Station-Id ) { if ( Called-Station-Id =~ /^[-A-Fa-f0-9]+:(.*)$/ ) { update { Local-SSID = "%{1}" } } } } 3. Then add a call ssid before files in the authorize section of the sites-enabled/default and sites-enabled/inner-tunnel files, ... authorize { ... ssid files ... 4. and now I can use the attribute Local-SSID with simple == and != operators in the users file, e.g. DEFAULT Local-SSID == "eduroam" Reply-Message += "Welcome to eduroam" Fall-Through = Yes Please let me know if someone thinks I did something fundamentally wrong with this kind of set up. As far as I have tested this it works as intended. Thanks, Gerald On 24/04/15 22:00, Stefan Paetow wrote:
Thus, conception ally: what would be the best approach to get those policies working again the way they worked in v2?
Just to follow up on what Alan says, you don't have to shove a bunch of unlang into the section either. I'm sure you know about policy.d :-)
With Regards
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ssid { if ( Called-Station-Id ) { if ( Called-Station-Id =~ /^[-A-Fa-f0-9]+:(.*)$/ ) { update { Local-SSID = "%{1}" } } } }
A similar policy already exists in policy.d Calling-Station-SSID is already defined.
3. Then add a call ssid before files in the authorize section of the sites-enabled/default and sites-enabled/inner-tunnel files,
... authorize { ... ssid files ...
4. and now I can use the attribute Local-SSID with simple == and != operators in the users file, e.g.
DEFAULT Local-SSID == "eduroam" Reply-Message += "Welcome to eduroam" Fall-Through = Yes
Please let me know if someone thinks I did something fundamentally wrong with this kind of set up. As far as I have tested this it works as intended.
No, that looks fine.
On 28/04/15 09:06, Arran Cudbard-Bell wrote:
ssid { if ( Called-Station-Id ) { if ( Called-Station-Id =~ /^[-A-Fa-f0-9]+:(.*)$/ ) { update { Local-SSID = "%{1}" } } } }
A similar policy already exists in policy.d Calling-Station-SSID is already defined.
I found rewrite_called_station_id which does what I need. However, it modifies Called-Station-Id and removes the SSID from the attribute. Now Called-Station-Id is copied from the outer eap into the inner eap tunnel. Called-Station-SSID is not copied, i.e. I don't have the SSID in the inner tunnel. How can modify, which attributes are copied from the outer eap into the inner tunnel? Or how do I get the Called-Station-SSID into the inner tunnel? Thanks, Gerald
On 28 Apr 2015, at 08:52, Gerald Vogt <vogt@spamcop.net> wrote:
On 28/04/15 09:06, Arran Cudbard-Bell wrote:
ssid { if ( Called-Station-Id ) { if ( Called-Station-Id =~ /^[-A-Fa-f0-9]+:(.*)$/ ) { update { Local-SSID = "%{1}" } } } }
A similar policy already exists in policy.d Calling-Station-SSID is already defined.
I found rewrite_called_station_id which does what I need. However, it modifies Called-Station-Id and removes the SSID from the attribute. Now Called-Station-Id is copied from the outer eap into the inner eap tunnel. Called-Station-SSID is not copied, i.e. I don't have the SSID in the inner tunnel.
How can modify, which attributes are copied from the outer eap into the inner tunnel? Or how do I get the Called-Station-SSID into the inner tunnel?
update request { Called-Station-SSID := &outer.Called-Station-SSID } Not sure why it's not copied. Non protocol attributes should be forwarded when proxying to virtual servers. It's only when the request needs to be translated back to a RADIUS packet that they should be stripped. Feel free to open an issue on the github tracker. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 28/04/15 10:31, Arran Cudbard-Bell wrote:
On 28 Apr 2015, at 08:52, Gerald Vogt <vogt@spamcop.net> wrote:
On 28/04/15 09:06, Arran Cudbard-Bell wrote:
ssid { if ( Called-Station-Id ) { if ( Called-Station-Id =~ /^[-A-Fa-f0-9]+:(.*)$/ ) { update { Local-SSID = "%{1}" } } } }
A similar policy already exists in policy.d Calling-Station-SSID is already defined.
I found rewrite_called_station_id which does what I need. However, it modifies Called-Station-Id and removes the SSID from the attribute. Now Called-Station-Id is copied from the outer eap into the inner eap tunnel. Called-Station-SSID is not copied, i.e. I don't have the SSID in the inner tunnel.
How can modify, which attributes are copied from the outer eap into the inner tunnel? Or how do I get the Called-Station-SSID into the inner tunnel?
update request { Called-Station-SSID := &outer.Called-Station-SSID }
I tried that but it doesn't work. I call rewrite_called_station_id after suffix in the authorize section of the default server. I can see it sets Called-Station-SSID correctly. In the inner-tunnel I have added those three lines in the beginning of the authorize section but that doesn't do anything: (10) authorize { (10) update request { (10) } # update request = noop If I replace &outer.Called-Station-SSID with "MYSSID" it works. So I guess this means &outer.Called-Station-SSID is not set/seen in the inner tunnel.. Thanks, Gerald
On 28 Apr 2015, at 10:01, Gerald Vogt <vogt@spamcop.net> wrote:
On 28/04/15 10:31, Arran Cudbard-Bell wrote:
On 28 Apr 2015, at 08:52, Gerald Vogt <vogt@spamcop.net> wrote:
On 28/04/15 09:06, Arran Cudbard-Bell wrote:
ssid { if ( Called-Station-Id ) { if ( Called-Station-Id =~ /^[-A-Fa-f0-9]+:(.*)$/ ) { update { Local-SSID = "%{1}" } } } }
A similar policy already exists in policy.d Calling-Station-SSID is already defined.
I found rewrite_called_station_id which does what I need. However, it modifies Called-Station-Id and removes the SSID from the attribute. Now Called-Station-Id is copied from the outer eap into the inner eap tunnel. Called-Station-SSID is not copied, i.e. I don't have the SSID in the inner tunnel.
How can modify, which attributes are copied from the outer eap into the inner tunnel? Or how do I get the Called-Station-SSID into the inner tunnel?
update request { Called-Station-SSID := &outer.Called-Station-SSID }
I tried that but it doesn't work.
I call rewrite_called_station_id after suffix in the authorize section of the default server. I can see it sets Called-Station-SSID correctly.
Mind posting all the debug output? Unless it's super secret... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
debug output is usually so long... The inner-tunnel contains these three lines at the beginning of the authorize section: update request { Called-Station-SSID := &outer.Called-Station-SSID } This is debug output of one request until before the inner eap. I suppose it contains everything to show that the copy doesn't work... Thanks, Gerald Received Access-Request Id 10 from 10.25.10.6:60617 to 10.25.10.7:1812 length 306 User-Name = 'anonymous@example.com' Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' Called-Station-Id = '11-22-33-44-55-66:MYSSID' NAS-IP-Address = 10.25.1.111 EAP-Message = 0x020a009019001703010020327cb8ccaeb663dd0545468e976f6b48440f9c8a24977e16ac9f6b8514ac61961703010060f6103fe7b84b1b708659f1be9b97a9d02c65ec8c22b6db21c119fdd81f9a86d564312fc6938adcbd8d2d72230e184fec81384b2f636bfa901cd5b6692c6aa3989aab4454893f8a23af84eee42ffc91ab4bbf01d4b5d65a2096c664567326d375 State = 0xacb99350a5b38a32e0f8f7523b6eb4d6 Message-Authenticator = 0x500c99f6b6d81d53c6c6d903f716c627 (10) Received Access-Request packet from host 10.25.10.6 port 60617, id=10, length=306 (10) User-Name = 'anonymous@example.com' (10) Calling-Station-Id = '02-00-00-00-00-01' (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) Connect-Info = 'CONNECT 11Mbps 802.11b' (10) Called-Station-Id = '11-22-33-44-55-66:MYSSID' (10) NAS-IP-Address = 10.25.1.111 (10) EAP-Message = 0x020a009019001703010020327cb8ccaeb663dd0545468e976f6b48440f9c8a24977e16ac9f6b8514ac61961703010060f6103fe7b84b1b708659f1be9b97a9d02c65ec8c22b6db21c119fdd81f9a86d564312fc6938adcbd8d2d72230e184fec81384b2f636bfa901cd5b6692c6aa3989aab4454893f8a23af84eee42ffc91ab4bbf01d4b5d65a2096c664567326d375 (10) State = 0xacb99350a5b38a32e0f8f7523b6eb4d6 (10) Message-Authenticator = 0x500c99f6b6d81d53c6c6d903f716c627 (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (!&User-Name) (10) if (!&User-Name) -> FALSE (10) if (&User-Name =~ / /) (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@.*@/ ) (10) if (&User-Name =~ /@.*@/ ) -> FALSE (10) if (&User-Name =~ /\\.\\./ ) (10) if (&User-Name =~ /\\.\\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\\.$/) (10) if (&User-Name =~ /\\.$/) -> FALSE (10) if (&User-Name =~ /@\\./) (10) if (&User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) [preprocess] = ok (10) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (10) auth_log : --> /var/log/radius/radacct/10.25.10.6/auth-detail-20150428 (10) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.25.10.6/auth-detail-20150428 (10) auth_log : EXPAND %t (10) auth_log : --> Tue Apr 28 10:55:40 2015 (10) [auth_log] = ok (10) [chap] = noop (10) [mschap] = noop (10) suffix : Checking for suffix after "@" (10) suffix : Looking up realm "example.com" for User-Name = "anonymous@example.com" (10) suffix : Found realm "example.com" (10) suffix : Adding Stripped-User-Name = "anonymous" (10) suffix : Adding Realm = "example.com" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) rewrite_called_station_id rewrite_called_station_id { (10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) (10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE (10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) { (10) update request { (10) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (10) --> 11-22-33-44-55-66 (10) Called-Station-Id := "11-22-33-44-55-66" (10) } # update request = noop (10) if ("%{8}") (10) EXPAND %{8} (10) --> MYSSID (10) if ("%{8}") -> TRUE (10) if ("%{8}") { (10) update request { (10) EXPAND %{8} (10) --> MYSSID (10) Called-Station-SSID := "MYSSID" (10) } # update request = noop (10) } # if ("%{8}") = noop (10) [updated] = updated (10) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated (10) ... skipping else for request 10: Preceding "if" was taken (10) } # rewrite_called_station_id rewrite_called_station_id = updated (10) if ( Huntgroup-Name == "wlan" ) (10) if ( Huntgroup-Name == "wlan" ) -> TRUE (10) if ( Huntgroup-Name == "wlan" ) { (10) if ( Called-Station-SSID ) (10) if ( Called-Station-SSID ) -> TRUE (10) if ( Called-Station-SSID ) { (10) if ( Called-Station-SSID == "eduroam" && Realm == "NULL" ) (10) if ( Called-Station-SSID == "eduroam" && Realm == "NULL" ) -> FALSE (10) elsif ( Called-Station-SSID == "MYSSID" && Realm != "NULL" && Realm != "example.com" ) (10) elsif ( Called-Station-SSID == "MYSSID" && Realm != "NULL" && Realm != "example.com" ) -> FALSE (10) } # if ( Called-Station-SSID ) = updated (10) ... skipping else for request 10: Preceding "if" was taken (10) } # if ( Huntgroup-Name == "wlan" ) = updated (10) ... skipping elsif for request 10: Preceding "if" was taken (10) eap : Peer sent code Response (2) ID 10 length 144 (10) eap : Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0x590f140159050ed0 (10) eap : Finished EAP session with state 0xacb99350a5b38a32 (10) eap : Previous EAP request found for state 0xacb99350a5b38a32, released from the list (10) eap : Peer sent method PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes (10) eap_peap : Peap state phase2 (10) eap_peap : EAP type MSCHAPv2 (26) (10) eap_peap : Got tunneled request EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465 server default { (10) eap_peap : Setting User-Name to gerald@example.com Sending tunneled request EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'gerald@example.com' State = 0x590f140159050ed009dc274a52ff2d37 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' NAS-IP-Address = 10.25.1.111 Event-Timestamp = 'Apr 28 2015 10:55:40 CEST' Called-Station-Id := '11-22-33-44-55-66' server inner-tunnel { (10) server inner-tunnel { (10) Request: EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'gerald@example.com' State = 0x590f140159050ed009dc274a52ff2d37 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' NAS-IP-Address = 10.25.1.111 Event-Timestamp = 'Apr 28 2015 10:55:40 CEST' Called-Station-Id := '11-22-33-44-55-66' (10) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) update request { (10) } # update request = noop (10) [preprocess] = ok (10) auth_inner_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-inner-detail-%Y%m%d (10) auth_inner_log : --> /var/log/radius/radacct/10.25.10.6/auth-inner-detail-20150428 (10) auth_inner_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-inner-detail-%Y%m%d expands to /var/log/radius/radacct/10.25.10.6/auth-inner-detail-20150428 (10) auth_inner_log : EXPAND %t (10) auth_inner_log : --> Tue Apr 28 10:55:40 2015 (10) [auth_inner_log] = ok (10) [chap] = noop (10) [mschap] = noop (10) suffix : Checking for suffix after "@" (10) suffix : Looking up realm "example.com" for User-Name = "gerald@example.com" (10) suffix : Found realm "example.com" (10) suffix : Adding Stripped-User-Name = "gerald" (10) suffix : Adding Realm = "example.com" (10) suffix : Authentication realm is LOCAL (10) [suffix] = ok (10) update control { (10) Proxy-To-Realm := 'LOCAL' (10) } # update control = noop On 28/04/15 11:09, Arran Cudbard-Bell wrote:
update request { Called-Station-SSID := &outer.Called-Station-SSID }
I tried that but it doesn't work.
I call rewrite_called_station_id after suffix in the authorize section of the default server. I can see it sets Called-Station-SSID correctly.
Mind posting all the debug output? Unless it's super secret...
On 28-04-15 11:28, Gerald Vogt wrote:
debug output is usually so long...
The inner-tunnel contains these three lines at the beginning of the authorize section:
update request { Called-Station-SSID := &outer.Called-Station-SSID }
This is debug output of one request until before the inner eap. I suppose it contains everything to show that the copy doesn't work...
I've always used the following syntax: update request { Called-Station-SSID := &outer.request:Called-Station-SSID } Mind the extra "request:" -- Herwin Weststrate
On 28 Apr 2015, at 10:36, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
On 28-04-15 11:28, Gerald Vogt wrote:
debug output is usually so long...
The inner-tunnel contains these three lines at the beginning of the authorize section:
update request { Called-Station-SSID := &outer.Called-Station-SSID }
This is debug output of one request until before the inner eap. I suppose it contains everything to show that the copy doesn't work...
I've always used the following syntax:
update request { Called-Station-SSID := &outer.request:Called-Station-SSID }
Mind the extra "request:"
It shouldn't matter, the default list should be request. If outer.Called-Station-SSID doesn't work and outer.request:Called-Station-SSID doesn't, then it's a bug. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 28 Apr 2015, at 11:09, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 28 Apr 2015, at 10:36, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
On 28-04-15 11:28, Gerald Vogt wrote:
debug output is usually so long...
The inner-tunnel contains these three lines at the beginning of the authorize section:
update request { Called-Station-SSID := &outer.Called-Station-SSID }
This is debug output of one request until before the inner eap. I suppose it contains everything to show that the copy doesn't work...
I've always used the following syntax:
update request { Called-Station-SSID := &outer.request:Called-Station-SSID }
Mind the extra "request:"
It shouldn't matter, the default list should be request.
If outer.Called-Station-SSID doesn't work and outer.request:Called-Station-SSID doesn't, then it's a bug.
*does Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 28/04/15 12:09, Arran Cudbard-Bell wrote:
On 28 Apr 2015, at 10:36, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
On 28-04-15 11:28, Gerald Vogt wrote:
debug output is usually so long...
The inner-tunnel contains these three lines at the beginning of the authorize section:
update request { Called-Station-SSID := &outer.Called-Station-SSID }
This is debug output of one request until before the inner eap. I suppose it contains everything to show that the copy doesn't work...
I've always used the following syntax:
update request { Called-Station-SSID := &outer.request:Called-Station-SSID }
Mind the extra "request:"
It shouldn't matter, the default list should be request.
If outer.Called-Station-SSID doesn't work and outer.request:Called-Station-SSID doesn't, then it's a bug.
Both outer.Called-Station-SSID and outer.request:Called-Station-SSID show the same when used in the above "update request" section. I don't get the SSID into the inner tunnel. So any other idea how to get this attribute from the default server into the inner tunnel?? Thanks, Gerald On a sidenote: looking at RFC 3580 I have noticed that rewrite_called_station_id is not following the RFC recommendation. The RFC says: 3.20. Called-Station-Id For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format (upper case only), with octet values separated by a "-". Example: "00-10-A4-23-19-C0". In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a ":". Example "00-10-A4-23-19-C0:AP1". Thus stripping the SSID from Called-Station-Id is not what is recommended as "SHOULD". And I don't really see "valid reasons in particular circumstances to ignore" this recommendation either. IMHO, rewrite_called_station_id should keep the SSID in place.
On Apr 28, 2015, at 7:13 AM, Gerald Vogt <vogt@spamcop.net> wrote:
Both outer.Called-Station-SSID and outer.request:Called-Station-SSID show the same when used in the above "update request" section. I don't get the SSID into the inner tunnel.
So any other idea how to get this attribute from the default server into the inner tunnel??
The "update" should work. If it doesn't work, it's because the outer:Called-Station-SSID doesn't exist. Reading the debug log should tell you this. Either the Called-Station-Id attribute doesn't exist outside of the tunnel, OR the policy to create Called-Station-SSID isn't called from outside of the tunnel. You can always copy the Called-Station-Id from "outer" to the tunnel. Then, run the "create SSID" policy there. Alan DeKok.
On 28/04/15 13:18, Alan DeKok wrote:
On Apr 28, 2015, at 7:13 AM, Gerald Vogt <vogt@spamcop.net> wrote:
Both outer.Called-Station-SSID and outer.request:Called-Station-SSID show the same when used in the above "update request" section. I don't get the SSID into the inner tunnel.
So any other idea how to get this attribute from the default server into the inner tunnel??
The "update" should work. If it doesn't work, it's because the outer:Called-Station-SSID doesn't exist. Reading the debug log should tell you this. Either the Called-Station-Id attribute doesn't exist outside of the tunnel, OR the policy to create Called-Station-SSID isn't called from outside of the tunnel.
See <553F52A9.8090106@spamcop.net> The default server has the Called-Station-Id attribute, it does correctly extract the SSID from the Id and it correctly puts it into the Called-Station-SSID. I even do some checks in unlang based on that SSID in the outer server and they show results as expected. So I suppose in that context the attribute exists. But it doesn't go into the inner tunnel. Neither by means of the eap module copy_request_to_tunnel=yes nor by the added "update request" in the inner tunnel. So I really would like to understand why it doesn't work here...
You can always copy the Called-Station-Id from "outer" to the tunnel.
Yes. I know that. That's how I did it in the beginning. My own "ssid" policy does not modify Called-Station-Id and thus I could extract the SSID in the inner tunnel as well. But then I was pointed to the "predefined" rewrite_called_station_id which basically does the same except it strips the SSID from Called-Station-Id causing this "problem". I can do my own policy but generally I prefer to use what's already there instead of reinventing the wheel... Thanks, -Gerald
Then, run the "create SSID" policy there.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 28, 2015, at 7:36 AM, Gerald Vogt <vogt@spamcop.net> wrote:
The default server has the Called-Station-Id attribute, it does correctly extract the SSID from the Id and it correctly puts it into the Called-Station-SSID. I even do some checks in unlang based on that SSID in the outer server and they show results as expected.
Hmm... the TTLS / PEAP code only copies over RADIUS *protocol* attributes. It doesn't copy anything else. I suppose that should be documented better.
So I suppose in that context the attribute exists. But it doesn't go into the inner tunnel. Neither by means of the eap module copy_request_to_tunnel=yes nor by the added "update request" in the inner tunnel.
You should be able to do: update request { Called-Station-SSID := &outer.request:Called-Station-SSID } If that doesn't work, it's likely a bug.
Yes. I know that. That's how I did it in the beginning. My own "ssid" policy does not modify Called-Station-Id and thus I could extract the SSID in the inner tunnel as well.
Just run the policy in the inner tunnel, not the outer one. Alan DeKok.
On 28/04/15 14:07, Alan DeKok wrote:
On Apr 28, 2015, at 7:36 AM, Gerald Vogt <vogt@spamcop.net> wrote:
The default server has the Called-Station-Id attribute, it does correctly extract the SSID from the Id and it correctly puts it into the Called-Station-SSID. I even do some checks in unlang based on that SSID in the outer server and they show results as expected.
Hmm... the TTLS / PEAP code only copies over RADIUS *protocol* attributes. It doesn't copy anything else. I suppose that should be documented better.
So I suppose in that context the attribute exists. But it doesn't go into the inner tunnel. Neither by means of the eap module copy_request_to_tunnel=yes nor by the added "update request" in the inner tunnel.
You should be able to do:
update request { Called-Station-SSID := &outer.request:Called-Station-SSID }
It doesn't work. I have tried that and update request { Called-Station-SSID := &outer.Called-Station-SSID } at the beginning of the inner-tunnel authorize section and neither gets any value in the inner tunnel.
If that doesn't work, it's likely a bug.
So it's a bug, I guess.
Yes. I know that. That's how I did it in the beginning. My own "ssid" policy does not modify Called-Station-Id and thus I could extract the SSID in the inner tunnel as well.
Just run the policy in the inner tunnel, not the outer one.
I need the SSID in the outer server, too. So I guess it's back to square one and I better use my own policy which simply extracts the SSID. That policy I can use on both servers... -Gerald
I reverted everything back to my own ssid policy but now tried the following at the beginning of the inner-tunnel authorize section: --- /etc/raddb/sites-enabled/inner-tunnel Mon Apr 27 15:08:31 2015 +++ /etc/raddb/sites-enabled/inner-tunnel Tue Apr 28 14:52:09 2015 @@ -46,6 +46,9 @@ # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { + update request { + Local-SSID := "%{outer.request:Local-SSID}" + } and that works: (11) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11) authorize { (11) update request { (11) EXPAND %{outer.request:Local-SSID} (11) --> MYSSID (11) Local-SSID := "MYSSID" (11) } # update request = noop So I guess that should also work with Called-Station-SSID. Any insights? -Gerald On 28/04/15 14:43, Gerald Vogt wrote:
On 28/04/15 14:07, Alan DeKok wrote:
On Apr 28, 2015, at 7:36 AM, Gerald Vogt <vogt@spamcop.net> wrote:
The default server has the Called-Station-Id attribute, it does correctly extract the SSID from the Id and it correctly puts it into the Called-Station-SSID. I even do some checks in unlang based on that SSID in the outer server and they show results as expected.
Hmm... the TTLS / PEAP code only copies over RADIUS *protocol* attributes. It doesn't copy anything else. I suppose that should be documented better.
So I suppose in that context the attribute exists. But it doesn't go into the inner tunnel. Neither by means of the eap module copy_request_to_tunnel=yes nor by the added "update request" in the inner tunnel.
You should be able to do:
update request { Called-Station-SSID := &outer.request:Called-Station-SSID }
It doesn't work. I have tried that and
update request { Called-Station-SSID := &outer.Called-Station-SSID }
at the beginning of the inner-tunnel authorize section and neither gets any value in the inner tunnel.
If that doesn't work, it's likely a bug.
So it's a bug, I guess.
Yes. I know that. That's how I did it in the beginning. My own "ssid" policy does not modify Called-Station-Id and thus I could extract the SSID in the inner tunnel as well.
Just run the policy in the inner tunnel, not the outer one.
I need the SSID in the outer server, too. So I guess it's back to square one and I better use my own policy which simply extracts the SSID. That policy I can use on both servers...
-Gerald - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 28, 2015, at 8:56 AM, Gerald Vogt <vogt@spamcop.net> wrote:
and that works:
(11) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11) authorize { (11) update request { (11) EXPAND %{outer.request:Local-SSID} (11) --> MYSSID (11) Local-SSID := "MYSSID" (11) } # update request = noop
So I guess that should also work with Called-Station-SSID.
Any insights?
From 6 lines of debug output? Nope. Alan DeKok.
On 28.04.15 15:59, Alan DeKok wrote:
On Apr 28, 2015, at 8:56 AM, Gerald Vogt <vogt@spamcop.net> wrote:
and that works:
(11) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11) authorize { (11) update request { (11) EXPAND %{outer.request:Local-SSID} (11) --> MYSSID (11) Local-SSID := "MYSSID" (11) } # update request = noop
So I guess that should also work with Called-Station-SSID.
Any insights?
From 6 lines of debug output?
Yes. The 6th line says it assigned it. Unlike in all tests before where the 7th line always followed the 3rd line in debug output. Do you need me to test it with Called-Station-SSID as well to verify that this syntax works unlike the other? -Gerald
Nope.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do you need me to test it with Called-Station-SSID as well to verify that this syntax works unlike the other?
Gerald, Alan and Arran always request the *full* output of 'radiusd -X' for a good reason... just copying and pasting what you might consider relevant is not always necessarily what they need to diagnose whether this is a bug or not. So, suggestion is: 1. Run one radiusd -X output with the standard Called-Station-SSID that you believe does not work. 2. Run one radiusd -X output with your policy that you say works. Post both (and that includes *everything* from the version line at the top of the initial output to the return of the final Access-Accept or Access-Reject). If there are any passwords, radiusd -X usually removes them, but you might wish to grep for any passwords you know you are using and replace them with '<< password >>' or similar. That way Alan can look at your configuration and check whether something's wrong, and where he may need to start looking. With Regards Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On 28.04.15 17:25, Stefan Paetow wrote:
Do you need me to test it with Called-Station-SSID as well to verify that this syntax works unlike the other? Alan and Arran always request the *full* output of 'radiusd -X' for a good reason... just copying and pasting what you might consider relevant is not always necessarily what they need to diagnose whether this is a bug or not.
I thought it has been established it is a bug.
So, suggestion is:
1. Run one radiusd -X output with the standard Called-Station-SSID that you believe does not work.
2. Run one radiusd -X output with your policy that you say works.
I don't need two runs for that. I can put all three ways to address the outer Called-Station-SSID in a single section.
Post both (and that includes *everything* from the version line at the top of the initial output to the return of the final Access-Accept or Access-Reject).
If there are any passwords, radiusd -X usually removes them, but you might wish to grep for any passwords you know you are using and replace them with '<< password >>' or similar.
That way Alan can look at your configuration and check whether something's wrong, and where he may need to start looking.
I have attached the full output of a test run of a eap-peap authentication from a new CentOS 7 freeradius-3.0.4-6.el7.x86_64 installation. As you can see outer.request:Called-Station-SSID and outer.Called-Station-SSID don't return anything but "%{outer.request:Called-Station-SSID}" does. There are only three differences to the configuration files from the distribution: Added to the end of users -> ./mods-config/files/authorize: bob Cleartext-Password := "hello" Reply-Message := "Hello, %{User-Name}" *** sites-available/default 2015-03-06 00:41:49.000000000 +0100 --- sites-enabled/default 2015-04-28 18:04:58.954102428 +0200 *************** *** 331,336 **** --- 331,338 ---- suffix # ntdomain + rewrite_called_station_id + # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. *************** *** 517,522 **** --- 519,526 ---- preacct { preprocess + rewrite_called_station_id + # # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets # into a single 64bit counter Acct-[Input|Output]-Octets64. *** sites-available/inner-tunnel 2015-03-06 00:41:49.000000000 +0100 --- sites-enabled/inner-tunnel 2015-04-28 18:09:32.427065903 +0200 *************** *** 46,51 **** --- 46,76 ---- # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { + update request { + Called-Station-SSID := outer.request:Called-Station-SSID + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "1: Called-Station-SSID = %{Called-Station-SSID}" + } + } + update request { + Called-Station-SSID := outer.Called-Station-SSID + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "2: Called-Station-SSID = %{Called-Station-SSID}" + } + } + update request { + Called-Station-SSID := "%{outer.request:Called-Station-SSID}" + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "3: Called-Station-SSID = %{Called-Station-SSID}" + } + } + # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set -Gerald
On Apr 28, 2015, at 1:18 PM, Gerald Vogt <vogt@spamcop.net> wrote:
I thought it has been established it is a bug.
No. If, as you claim, it doesn't work, then it's a bug. The argument here was you haven't shown your claims.
I have attached the full output of a test run of a eap-peap authentication from a new CentOS 7 freeradius-3.0.4-6.el7.x86_64 installation.
As you can see outer.request:Called-Station-SSID and outer.Called-Station-SSID don't return anything but "%{outer.request:Called-Station-SSID}" does.
Because your tests are wrong.
authorize { + update request { + Called-Station-SSID := outer.request:Called-Station-SSID
See "man unlang". This is documented. This configuration is the same as: update request { Called-Station-SSID := "outer.request:Called-Station-SSID" } Because you're not doing: update request { Called-Station-SSID := &outer.request:Called-Station-SSID } As is documented by "man unlang". So all of this back and forth could have been simplified by (a) describing exactly what you're doing, and not "it doesn't get updated", and (b) providing the debug output. Alan DeKok.
On 28/04/15 22:47, Alan DeKok wrote:
On Apr 28, 2015, at 1:18 PM, Gerald Vogt <vogt@spamcop.net> wrote:
I thought it has been established it is a bug.
No. If, as you claim, it doesn't work, then it's a bug. The argument here was you haven't shown your claims.
I have attached the full output of a test run of a eap-peap authentication from a new CentOS 7 freeradius-3.0.4-6.el7.x86_64 installation.
As you can see outer.request:Called-Station-SSID and outer.Called-Station-SSID don't return anything but "%{outer.request:Called-Station-SSID}" does.
Because your tests are wrong.
Because I created a test configuration after it was still not considered enough debug output I have posted before. There I accidentally missed the &. My previous tests where in my "real" configuration and included the & as I always copied the text from the previous e-mails and copied the results into my e-mails. Previously it was with & and it showed exactly the same as without &. And that's also why I have missed the missing & in the test configuration: debug output is identical with and without &.
authorize { + update request { + Called-Station-SSID := outer.request:Called-Station-SSID
See "man unlang". This is documented.
This configuration is the same as:
update request { Called-Station-SSID := "outer.request:Called-Station-SSID" }
No. It's not. It definitively not the same. The former does basically nothing. Called-Station-SSID gets no value assigned. The latter assigns the string contained in quotes.
Because you're not doing:
update request { Called-Station-SSID := &outer.request:Called-Station-SSID }
And now I do it and it still doesn't make any difference. The outcome is exactly the same to the one without &.
As is documented by "man unlang".
So all of this back and forth could have been simplified by (a) describing exactly what you're doing, and not "it doesn't get updated", and (b) providing the debug output.
I did that all the time before and it was with & as I also wrote a couple of times before. So here we go again, and as probably noone would believe me if I wrote I only changed this&that to the previous tests I post everything all over again below and attached. I clear the attribute again before each assignment to avoid mixup with previously set values, but yes, I have made tests without that placing only a single assignment in for tests showing the same results as in this big "combined" test. As you can see from the debug output, the same happens with and without ampersand. As you can also see, assigning without ampersand is not the same as assigning as string in double quotes. As you can also see, only the last form gets the real value from the outer. Here are all the changes to the originally distributed files which came from the CentOS 7.1 distribution: I have added those two lines at the end of users: bob Cleartext-Password := "hello" Reply-Message := "Hello, %{User-Name}" and those two diffs: *** sites-available/default 2015-03-06 00:41:49.000000000 +0100 --- sites-enabled/default 2015-04-28 18:04:58.954102428 +0200 *************** *** 331,336 **** --- 331,338 ---- suffix # ntdomain + rewrite_called_station_id + # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP # authentication. *************** *** 517,522 **** --- 519,526 ---- preacct { preprocess + rewrite_called_station_id + # # Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets # into a single 64bit counter Acct-[Input|Output]-Octets64. *** sites-available/inner-tunnel 2015-03-06 00:41:49.000000000 +0100 --- sites-enabled/inner-tunnel 2015-04-29 07:33:02.778593360 +0200 *************** *** 46,51 **** --- 46,115 ---- # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { + update request { + Called-Station-SSID !* ANY + Called-Station-SSID := outer.request:Called-Station-SSID + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "1: Called-Station-SSID = %{Called-Station-SSID}" + } + } + update request { + Called-Station-SSID !* ANY + Called-Station-SSID := "outer.request:Called-Station-SSID" + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "1a: Called-Station-SSID = %{Called-Station-SSID}" + } + } + update request { + Called-Station-SSID !* ANY + Called-Station-SSID := &outer.request:Called-Station-SSID + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "1b: Called-Station-SSID = %{Called-Station-SSID}" + } + } + update request { + Called-Station-SSID !* ANY + Called-Station-SSID := outer.Called-Station-SSID + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "2: Called-Station-SSID = %{Called-Station-SSID}" + } + } + update request { + Called-Station-SSID !* ANY + Called-Station-SSID := "outer.Called-Station-SSID" + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "2a: Called-Station-SSID = %{Called-Station-SSID}" + } + } + update request { + Called-Station-SSID !* ANY + Called-Station-SSID := &outer.Called-Station-SSID + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "2b: Called-Station-SSID = %{Called-Station-SSID}" + } + } + update request { + Called-Station-SSID !* ANY + Called-Station-SSID := "%{outer.request:Called-Station-SSID}" + } + if ( Called-Station-SSID ) { + update reply { + Reply-Message += "3: Called-Station-SSID = %{Called-Station-SSID}" + } + } + # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set -Gerald
On Apr 29, 2015, at 2:01 AM, Gerald Vogt <vogt@spamcop.net> wrote:
This configuration is the same as:
update request { Called-Station-SSID := "outer.request:Called-Station-SSID" }
No. It's not. It definitively not the same. The former does basically nothing. Called-Station-SSID gets no value assigned. The latter assigns the string contained in quotes.
OK... I've spent a fair bit of time looking into this. I am interested in making FreeRADIUS better, after all.
+ update request { + Called-Station-SSID !* ANY + Called-Station-SSID := outer.Called-Station-SSID
That's wrong. It's not a valid attribute reference. Most of the rest of the changes are needlessly complicated. You don't need to delete the Called-Station-SSID and then re-add it. You can just use ":=", as that's it's documented behaviour. You don't need to check for the existence of the Called-Station-Id, you can just use it in the Reply-Message And it works in my tests, with the exception of the wrong attribute reference above. You're using 3.0.4. It works in 3.0.8. Upgrade. Alan DeKok.
On 29.04.15 15:59, Alan DeKok wrote:
On Apr 29, 2015, at 2:01 AM, Gerald Vogt <vogt@spamcop.net> wrote:
This configuration is the same as:
update request { Called-Station-SSID := "outer.request:Called-Station-SSID" }
No. It's not. It definitively not the same. The former does basically nothing. Called-Station-SSID gets no value assigned. The latter assigns the string contained in quotes.
OK... I've spent a fair bit of time looking into this. I am interested in making FreeRADIUS better, after all.
+ update request { + Called-Station-SSID !* ANY + Called-Station-SSID := outer.Called-Station-SSID
That's wrong. It's not a valid attribute reference.
Most of the rest of the changes are needlessly complicated. You don't need to delete the Called-Station-SSID and then re-add it. You can just use ":=", as that's it's documented behaviour.
I did that for the tests to reset the attribute. Otherwise those not working assignments wouldn't change the attribute, i.e. the value which was set in an assignment before would show up in the reply message...
You don't need to check for the existence of the Called-Station-Id, you can just use it in the Reply-Message
Which will give me an error message (at least in 3.0.4) if the attribute does not exist.
And it works in my tests, with the exception of the wrong attribute reference above.\
Interesting. I have just compiled freeradius 3.0.8 from the tarball on a CentOS 7. Now all assignments assign something. outer.request:Called-Station-SSID and &outer.request:Called-Station-SSID as well as outer.Called-Station-SSID and &outer.Called-Station-SSID all assign the current value of the outer Called-Station-SSID attribute. i.e., Called-Station-SSID := outer.Called-Station-SSID is working in my tests with freeradius 3.0.8, unlike yours. Still the identical configuration from my previous tests (except for the allow_vulnerable_openssl flag to get it started). Just downloaded freeradius-server-3.0.8, configured, compiled, installed, and ran... So it puzzles me why it worked in my tests... Either way, problem of accessing the outer attributes seems to have been fixed between 3.0.4 and 3.0.8. As I can still access the attributes using "%{outer.request:Called-Station-SSID}" it doesn't bother me that much, thus I would stick with the RHEL/CentOS 7.1 3.0.4 RPM. But I guess I could submit a bug report to RHEL and hope that they'll include an updated version with 7.2... -Gerald Here is the debug output of the assignments in the inner tunnel on my 3.0.8 tests: (9) # Executing section authorize from file /etc/raddb.TEST//sites-enabled/inner-tunnel (9) authorize { (9) update request { (9) Called-Station-SSID !* ANY (9) Called-Station-SSID := &Called-Station-SSID -> MYSSID (9) } # update request = noop (9) if ( Called-Station-SSID ) { (9) if ( Called-Station-SSID ) -> TRUE (9) if ( Called-Station-SSID ) { (9) update reply { (9) EXPAND 1: Called-Station-SSID = %{Called-Station-SSID} (9) --> 1: Called-Station-SSID = MYSSID (9) Reply-Message += 1: Called-Station-SSID = MYSSID (9) } # update reply = noop (9) } # if ( Called-Station-SSID ) = noop (9) update request { (9) Called-Station-SSID !* ANY (9) Called-Station-SSID := "outer.request:Called-Station-SSID" (9) } # update request = noop (9) if ( Called-Station-SSID ) { (9) if ( Called-Station-SSID ) -> TRUE (9) if ( Called-Station-SSID ) { (9) update reply { (9) EXPAND 1a: Called-Station-SSID = %{Called-Station-SSID} (9) --> 1a: Called-Station-SSID = outer.request:Called-Station-SSID (9) Reply-Message += 1a: Called-Station-SSID = outer.request:Called-Station-SSID (9) } # update reply = noop (9) } # if ( Called-Station-SSID ) = noop (9) update request { (9) Called-Station-SSID !* ANY (9) Called-Station-SSID := &Called-Station-SSID -> MYSSID (9) } # update request = noop (9) if ( Called-Station-SSID ) { (9) if ( Called-Station-SSID ) -> TRUE (9) if ( Called-Station-SSID ) { (9) update reply { (9) EXPAND 1b: Called-Station-SSID = %{Called-Station-SSID} (9) --> 1b: Called-Station-SSID = MYSSID (9) Reply-Message += 1b: Called-Station-SSID = MYSSID (9) } # update reply = noop (9) } # if ( Called-Station-SSID ) = noop (9) update request { (9) Called-Station-SSID !* ANY (9) Called-Station-SSID := &Called-Station-SSID -> MYSSID (9) } # update request = noop (9) if ( Called-Station-SSID ) { (9) if ( Called-Station-SSID ) -> TRUE (9) if ( Called-Station-SSID ) { (9) update reply { (9) EXPAND 2: Called-Station-SSID = %{Called-Station-SSID} (9) --> 2: Called-Station-SSID = MYSSID (9) Reply-Message += 2: Called-Station-SSID = MYSSID (9) } # update reply = noop (9) } # if ( Called-Station-SSID ) = noop (9) update request { (9) Called-Station-SSID !* ANY (9) Called-Station-SSID := "outer.Called-Station-SSID" (9) } # update request = noop (9) if ( Called-Station-SSID ) { (9) if ( Called-Station-SSID ) -> TRUE (9) if ( Called-Station-SSID ) { (9) update reply { (9) EXPAND 2a: Called-Station-SSID = %{Called-Station-SSID} (9) --> 2a: Called-Station-SSID = outer.Called-Station-SSID (9) Reply-Message += 2a: Called-Station-SSID = outer.Called-Station-SSID (9) } # update reply = noop (9) } # if ( Called-Station-SSID ) = noop (9) update request { (9) Called-Station-SSID !* ANY (9) Called-Station-SSID := &Called-Station-SSID -> MYSSID (9) } # update request = noop (9) if ( Called-Station-SSID ) { (9) if ( Called-Station-SSID ) -> TRUE (9) if ( Called-Station-SSID ) { (9) update reply { (9) EXPAND 2b: Called-Station-SSID = %{Called-Station-SSID} (9) --> 2b: Called-Station-SSID = MYSSID (9) Reply-Message += 2b: Called-Station-SSID = MYSSID (9) } # update reply = noop (9) } # if ( Called-Station-SSID ) = noop (9) update request { (9) Called-Station-SSID !* ANY (9) EXPAND %{outer.request:Called-Station-SSID} (9) --> MYSSID (9) Called-Station-SSID := MYSSID (9) } # update request = noop (9) if ( Called-Station-SSID ) { (9) if ( Called-Station-SSID ) -> TRUE (9) if ( Called-Station-SSID ) { (9) update reply { (9) EXPAND 3: Called-Station-SSID = %{Called-Station-SSID} (9) --> 3: Called-Station-SSID = MYSSID (9) Reply-Message += 3: Called-Station-SSID = MYSSID (9) } # update reply = noop (9) } # if ( Called-Station-SSID ) = noop
Hi,
authorize { + update request { + Local-SSID := "%{outer.request:Local-SSID}" + }
and that works:
(11) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11) authorize { (11) update request { (11) EXPAND %{outer.request:Local-SSID} (11) --> MYSSID (11) Local-SSID := "MYSSID" (11) } # update request = noop
So I guess that should also work with Called-Station-SSID.
..and it does, doesnt it? according to your own variable mix testing, you saw that the following ended up triggering a match and setting the reply: (7) update request { (7) EXPAND %{outer.request:Called-Station-SSID} (7) --> MYSSID (7) Called-Station-SSID := "MYSSID" (7) } # update request = noop (7) if ( Called-Station-SSID ) (7) if ( Called-Station-SSID ) -> TRUE (7) if ( Called-Station-SSID ) { (7) update reply { (7) EXPAND 3: Called-Station-SSID = %{Called-Station-SSID} (7) --> 3: Called-Station-SSID = MYSSID (7) Reply-Message += "3: Called-Station-SSID = MYSSID" so %{outer.request:Called-Station-SSID} is required...and is picked up. alan
On 28/04/15 21:26, A.L.M.Buxey@lboro.ac.uk wrote:
(7) update request { (7) EXPAND %{outer.request:Called-Station-SSID} (7) --> MYSSID (7) Called-Station-SSID := "MYSSID" (7) } # update request = noop (7) if ( Called-Station-SSID ) (7) if ( Called-Station-SSID ) -> TRUE (7) if ( Called-Station-SSID ) { (7) update reply { (7) EXPAND 3: Called-Station-SSID = %{Called-Station-SSID} (7) --> 3: Called-Station-SSID = MYSSID (7) Reply-Message += "3: Called-Station-SSID = MYSSID"
so %{outer.request:Called-Station-SSID} is required...and is picked up.
Yes, I know that. But in <0A74CE5E-8459-465C-A896-81CBDE0F9CF3@deployingradius.com> Alan wrote:
You should be able to do:
update request { Called-Station-SSID := &outer.request:Called-Station-SSID }
If that doesn't work, it's likely a bug.
Others suggested the same or similar. But that doesn't work. "%{outer.request:Called-Station-SSID}" works. &outer.request:Called-Station-SSID works not. I am not supposed to be too pedantic about the "should" thus I can only put these results here and let someone conclude who knows the internals of freeradius. -Gerald
Hi,
ssid { if ( Called-Station-Id ) { if ( Called-Station-Id =~ /^[-A-Fa-f0-9]+:(.*)$/ ) { update { Local-SSID = "%{1}" } } } }
okay, so you've got unlang and policies sorted :-)
4. and now I can use the attribute Local-SSID with simple == and != operators in the users file, e.g.
why? just do that using unlang too in the relevant virtual server. the old 'flat file' methods can be left almost as distributed (using them can be much much slower than unlang...) alan
On 28/04/15 09:51, A.L.M.Buxey@lboro.ac.uk wrote:
ssid { if ( Called-Station-Id ) { if ( Called-Station-Id =~ /^[-A-Fa-f0-9]+:(.*)$/ ) { update { Local-SSID = "%{1}" } } } }
okay, so you've got unlang and policies sorted :-)
4. and now I can use the attribute Local-SSID with simple == and != operators in the users file, e.g.
why? just do that using unlang too in the relevant virtual server. the old 'flat file' methods can be left almost as distributed (using them can be much much slower than unlang...)
It's a migration from CentOS 6 to CentOS 7. Thus, currently I still have the users aka authorize file. I have already cleaned up the default server and got rid of the files module there by putting the few relevant checks into unlang... Gerald
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Gerald Vogt -
Herwin Weststrate -
Stefan Paetow