Hi, I have freeRADIUS 2.0.5 authenticating against LDAP via eap and this has been working perfectly since last year. Now a I have a new requirement to authenticate another set of users in the same LDAP tree onto a different service. These users will be visitors to our site and will have the user names Visitor1 ... Visitor(nn) I do not want visitors to be able to get onto the original service, and I do not want normal users to get onto the visitor service. My thoughts are to set up a new virtual server and add an 'if' statement to look for the visitor user names, and reject or allow as necessary. something like this in the new virtual server if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } and the inverse for the old service. if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject } Is this syntax correct ? and where do I put it? Thanks for your time ...regards, Bruce Richardson Please consider the environment - do you really need to print this email? ________________________________________________________________________________________ This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE ________________________________________________________________________________________
I do not want visitors to be able to get onto the original service, and I do not want normal users to get onto the visitor service.
My thoughts are to set up a new virtual server and add an 'if' statement to look for the visitor user names, and reject or allow as necessary.
something like this in the new virtual server
if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }
and the inverse for the old service.
if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }
Is this syntax correct ? and where do I put it?
What about the service? You probably want: if( Service-Type == whatever && Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject } That goes in authorize section. Ivan Kalik Kalik Informatika ISP
On 20/3/09 12:25, tnt@kalik.net wrote:
I do not want visitors to be able to get onto the original service, and I do not want normal users to get onto the visitor service.
My thoughts are to set up a new virtual server and add an 'if' statement to look for the visitor user names, and reject or allow as necessary.
something like this in the new virtual server
if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }
and the inverse for the old service.
if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }
Is this syntax correct ? and where do I put it?
What about the service? You probably want:
if(("%{request:Service-Type}" == 'whatever') && ("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i)) { reject } I don't think naked attribute names were supported in 2.0.5..
That goes in authorize section.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
if(("%{request:Service-Type}" == 'whatever') && ("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i)) { reject }
I don't think naked attribute names were supported in 2.0.5..
Thanks Ivan and Arran , in fact there is only one Service-Type (Login-User ). so I changed my authorize section to ... authorize { # preprocess prefix eap { ok = return } ldap # Just the Visitors please !! if("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i) {reject} expiration logintime } and now radiusd will not start .. /usr/local/etc/raddb/sites-enabled/all[182]: EOF reached without closing brace for section server starting at line 115 Errors reading /usr/local/etc/raddb/radiusd.conf I've also tried Ivan's version with the same results. Commenting out the 'if' statement fixes the issue, and I can't see any missing braces. Am I putting it in the wrong place, or is the syntax wrong ? Bruce Please consider the environment - do you really need to print this email? ________________________________________________________________________________________ This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE ________________________________________________________________________________________
if(("%{request:Service-Type}" == 'whatever') && ("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i)) { reject }
# Just the Visitors please !! if("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i) {reject}
Don't open and close brackets on the same line. Have a look at Arran's statement. Ivan Kalik Kalik Informatika ISP
Don't open and close brackets on the same line. Have a look at Arran's statement.
Ok I tried this ... if("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i) { reject } and got this ... /usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition at: "%{request:Stripped-User-Name}" !~ any ideas ? Bruce Please consider the environment - do you really need to print this email? ________________________________________________________________________________________ This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE ________________________________________________________________________________________
Bruce_M_Richardson@biscuits.com wrote:
if("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i) { reject }
and got this ...
/usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition at: "%{request:Stripped-User-Name}" !~
any ideas ?
$ man unlang Everything following the "if" statement MUST be all on one line of text. Alan DeKok.
$ man unlang
Everything following the "if" statement MUST be all on one line of text.
Alan DeKok. -
Ok thanks, I don't think that is clear on http://freeradius.org/radiusd/man/unlang.html . I now have ... if("%{request:Stripped-User-Name}" !~ /visitor[0-9]?[0-9]/i) { reject } and radiusd will start now. Thanks to all Bruce Please consider the environment - do you really need to print this email? ________________________________________________________________________________________ This e-mail and any attachments are confidential and solely for the use of the intended recipient. They may contain material protected by legal professional or other privilege. If you receive it in error, please delete it from your system, make no copies of it, do not disclose its contents to any third party or use it for your own or any other person's benefit. Please advise the sender of its receipt as soon as possible. Although this email and its attachments are believed to be free of any virus or other defect, it is the responsibility of the recipient to ensure that they are virus free and no responsibility is accepted by the company for any loss or damage arising from receipt or use thereof. Any opinions expressed that do not relate to the official business of the company are those of the author, not the United Biscuits group of companies. United Biscuits (UK) Limited Registered in England number 2506007 Registered Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE ________________________________________________________________________________________
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Bruce_M_Richardson@biscuits.com -
tnt@kalik.net