hints file based rewrite does not work (migration from freeradius 1.1.x to 3.0.x)
Hi list, we're about to move from a freeradius (freeradius-1.1.3-1.6.el5 on CentOS 5) to a HA freeradius (freeradius-3.0.4-6.el7.x86_64 on CentOS 7) environment. We're almost there, however, I ran into an issue: I have to rewrite an "%" character to "@". My 'hints' file on the old installation did this perfectly well: DEFAULT User-Name =~ "bla\-bla\/([^%]+)%kroenchenstadt.de" User-Name := "%{1}@kroenchenstadt.de" However, freeradius BLA throws an error (running as 'radius -X' for debugging purposes): (0) ERROR: preprocess : bla\-bla\/(^%)%kroenchenstadt.de (0) ERROR: preprocess : ^ Invalid variable expansion Any idea what goes possibly wrong here? How could I circumvent the problem? Thanks, Bernd
I copied the wrong log file entry; corrected below:
Hi list,
we're about to move from a freeradius (freeradius-1.1.3-1.6.el5 on CentOS 5) to a HA freeradius (freeradius-3.0.4-6.el7.x86_64 on CentOS 7) environment.
We're almost there, however, I ran into an issue: I have to rewrite an "%" character to "@". My 'hints' file on the old installation did this perfectly well:
DEFAULT User-Name =~ "bla\-bla\/([^%]+)%kroenchenstadt.de" User-Name := "%{1}@kroenchenstadt.de"
However, freeradius BLA throws an error (running as 'radius -X' for debugging purposes):
[Correction:] (0) # Executing section preacct from file /etc/raddb/sites-enabled/default (0) preacct { (0) ERROR: preprocess : bla\-bla\/(^%+)%kroenchenstadt.de (0) ERROR: preprocess : ^ Invalid variable expansion Segmentation fault
Any idea what goes possibly wrong here? How could I circumvent the problem?
Thanks,
Bernd
On Oct 12, 2015, at 6:09 AM, Bernd <bernd@kroenchenstadt.de> wrote:
we're about to move from a freeradius (freeradius-1.1.3-1.6.el5 on CentOS 5) to a HA freeradius (freeradius-3.0.4-6.el7.x86_64 on CentOS 7) environment.
We're almost there, however, I ran into an issue: I have to rewrite an "%" character to "@". My 'hints' file on the old installation did this perfectly well:
DEFAULT User-Name =~ "bla\-bla\/([^%]+)%kroenchenstadt.de" User-Name := "%{1}@kroenchenstadt.de"
Don't use "hints" for that. Just put the configuration into the "authorize" section, in "unlang". if (User-Name =~ /bla\-bla\/([^%]+)%kroenchenstadt.de/) { update control { User-Name := "%{1}@kroenchenstadt.de" } } Alan DeKok.
Am 2015-10-12 14:58, schrieb Alan DeKok:
On Oct 12, 2015, at 6:09 AM, Bernd <bernd@kroenchenstadt.de> wrote:
we're about to move from a freeradius (freeradius-1.1.3-1.6.el5 on CentOS 5) to a HA freeradius (freeradius-3.0.4-6.el7.x86_64 on CentOS 7) environment.
We're almost there, however, I ran into an issue: I have to rewrite an "%" character to "@". My 'hints' file on the old installation did this perfectly well:
DEFAULT User-Name =~ "bla\-bla\/([^%]+)%kroenchenstadt.de" User-Name := "%{1}@kroenchenstadt.de"
Don't use "hints" for that. Just put the configuration into the "authorize" section, in "unlang".
if (User-Name =~ /bla\-bla\/([^%]+)%kroenchenstadt.de/) { update control { User-Name := "%{1}@kroenchenstadt.de" } }
Thanks a lot for your reply, Alan. I deleted it from hints and put your snippet into the config, however I still get that error: (13) if (&User-Name =~ /@\\./) (13) if (&User-Name =~ /@\\./) -> FALSE (13) } # filter_username filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) if (User-Name =~ /bla\-bla\/([^%]+)%kroenchenstadt.de/) (13) ERROR: bla-bla/([^%]+)%kroenchenstadt.de (13) ERROR: ^ Invalid variable expansion (13) ERROR: Failed retrieving values required to evaluate condition (13) suffix : Checking for suffix after "@" (13) suffix : No '@' in User-Name = "bla-bla/20103760%kroenchenstadt.de", looking up realm NULL (13) suffix : No such realm "NULL" (13) [suffix] = noop (13) eap : No EAP-Message, not doing EAP Bernd
Alan DeKok.
On Oct 12, 2015, at 10:08 AM, Bernd <bernd@kroenchenstadt.de> wrote:
Thanks a lot for your reply, Alan. I deleted it from hints and put your snippet into the config, however I still get that error:
Escape the % with a backslash. And upgrade to 3.0.10. It makes a big difference. Alan DeKok.
Am 2015-10-12 16:23, schrieb Alan DeKok:
On Oct 12, 2015, at 10:08 AM, Bernd <bernd@kroenchenstadt.de> wrote:
Thanks a lot for your reply, Alan. I deleted it from hints and put your snippet into the config, however I still get that error:
Escape the % with a backslash.
Escaped all %'s with a backslash, same problem. if (User-Name =~ /bla\-bla\/([^\%]+)\%kroenchenstadt.de/) { update control { User-Name := "\%{1}@kroenchenstadt.de" } } (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) if (User-Name =~ /bla\-bla\/([^%]+)\%kroenchenstadt.de/) (1) ERROR: bla-bla/([^%]+)%kroenchenstadt.de (1) ERROR: ^ Invalid variable expansion (1) ERROR: Failed retrieving values required to evaluate condition (1) } # filter_username filter_username = notfound (1) [preprocess] = ok
And upgrade to 3.0.10. It makes a big difference.
Thanks, I'll check that. However, the repos just list 3.0.4, so I'd have to create an RPM myself (do it quite often, so no show stopper).
Alan DeKok.
Bernd
On 12-10-15 16:43, Bernd wrote:
Am 2015-10-12 16:23, schrieb Alan DeKok:
On Oct 12, 2015, at 10:08 AM, Bernd <bernd@kroenchenstadt.de> wrote:
Thanks a lot for your reply, Alan. I deleted it from hints and put your snippet into the config, however I still get that error:
Escape the % with a backslash.
Escaped all %'s with a backslash, same problem.
Actually, the % should not be escaped with a slash, but with another %. The problem here isn't regex escaping, but xlat that tries to expand the % variable. The following piece of code should work: if (User-Name =~ /bla-bla\/([^%%]+)%%kroenchenstadt.de/) { update control { User-Name := "%{1}@kroenchenstadt.de" } } There is no need to escape the hyphen in regex either, so I've removed that escape too. I've tested it with 3.0.10. -- Herwin Weststrate
Am 2015-10-12 16:57, schrieb Herwin Weststrate:
On 12-10-15 16:43, Bernd wrote:
Am 2015-10-12 16:23, schrieb Alan DeKok:
On Oct 12, 2015, at 10:08 AM, Bernd <bernd@kroenchenstadt.de> wrote:
Thanks a lot for your reply, Alan. I deleted it from hints and put your snippet into the config, however I still get that error:
Escape the % with a backslash.
Escaped all %'s with a backslash, same problem.
Actually, the % should not be escaped with a slash, but with another %. The problem here isn't regex escaping, but xlat that tries to expand the % variable.
The following piece of code should work:
if (User-Name =~ /bla-bla\/([^%%]+)%%kroenchenstadt.de/) { update control { User-Name := "%{1}@kroenchenstadt.de" } }
The code itself seems to work, thanks a lot! However, it still sends a "=25" (which originates from the forbidden character "%" regarding its use within a MySQL setup) to the MySQL: (20) if (&User-Name =~ /@\\./) (20) if (&User-Name =~ /@\\./) -> FALSE (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) (20) EXPAND bla-bla/([^%%]+)%%kroenchenstadt.de (20) --> bla-bla/([^%]+)%kroenchenstadt.de (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) -> TRUE (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) { (20) update control { (20) EXPAND %{1}@kroenchenstadt.de (20) --> 20082105@kroenchenstadt.de (20) User-Name := "20082105@kroenchenstadt.de" (20) } # update control = noop (20) } # if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) = noop (20) } # filter_username filter_username = noop (20) [preprocess] = ok (20) [chap] = noop (20) [mschap] = noop (20) [digest] = noop (20) suffix : Checking for suffix after "@" (20) suffix : No '@' in User-Name = "bla-bla/20082105%kroenchenstadt.de", looking up realm NULL (20) suffix : No such realm "NULL" (20) [suffix] = noop (20) eap : No EAP-Message, not doing EAP (20) [eap] = noop (20) sql : EXPAND %{User-Name} (20) sql : --> bla-bla/20082105%kroenchenstadt.de (20) sql : SQL-User-Name set to 'bla-bla/20082105%kroenchenstadt.de' rlm_sql (sql): Reserved connection (4) ***** (20) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (20) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bla-bla/20082105=25kroenchenstadt.de' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bla-bla/20082105=25kroenchenstadt.de' ORDER BY id' rlm_sql (sql): Released connection (4) ***** (20) [sql] = notfound (20) [expiration] = noop So, filter in policy.d doesn't really *apply* it as I get from (20) } # if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) = noop (20) } # filter_username filter_username = noop That makes no sense to me because I didn't tell it to noop. Bernd
There is no need to escape the hyphen in regex either, so I've removed that escape too. I've tested it with 3.0.10.
On 12-10-15 17:12, Bernd wrote:
The code itself seems to work, thanks a lot! However, it still sends a "=25" (which originates from the forbidden character "%" regarding its use within a MySQL setup) to the MySQL:
(20) if (&User-Name =~ /@\\./) (20) if (&User-Name =~ /@\\./) -> FALSE (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) (20) EXPAND bla-bla/([^%%]+)%%kroenchenstadt.de (20) --> bla-bla/([^%]+)%kroenchenstadt.de (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) -> TRUE (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) { (20) update control { (20) EXPAND %{1}@kroenchenstadt.de (20) --> 20082105@kroenchenstadt.de (20) User-Name := "20082105@kroenchenstadt.de" (20) } # update control = noop (20) } # if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) = noop ... (20) sql : EXPAND %{User-Name} (20) sql : --> bla-bla/20082105%kroenchenstadt.de (20) sql : SQL-User-Name set to 'bla-bla/20082105%kroenchenstadt.de' rlm_sql (sql): Reserved connection (4)
It changes control:User-Name to "20082105@kroenchenstadt.de", the expansion in the second part used User-Name without a list prefix, which defaults to request:User-Name. Update on of these two statements and you're fine.
So, filter in policy.d doesn't really *apply* it as I get from
(20) } # if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) = noop (20) } # filter_username filter_username = noop
That makes no sense to me because I didn't tell it to noop.
noop is a kind of return value used in unlang. You could add a more explicit value by specifying it: if (User-Name =~ /bla-bla\/([^%%]+)%%kroenchenstadt.de/) { ... update control block updated } Using this will make it show as "updated". But as long as there is no direct check for the return value, they're not that useful and can be safely omitted. -- Herwin Weststrate
Am 2015-10-12 17:30, schrieb Herwin Weststrate:
On 12-10-15 17:12, Bernd wrote:
The code itself seems to work, thanks a lot! However, it still sends a "=25" (which originates from the forbidden character "%" regarding its use within a MySQL setup) to the MySQL:
(20) if (&User-Name =~ /@\\./) (20) if (&User-Name =~ /@\\./) -> FALSE (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) (20) EXPAND bla-bla/([^%%]+)%%kroenchenstadt.de (20) --> bla-bla/([^%]+)%kroenchenstadt.de (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) -> TRUE (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) { (20) update control { (20) EXPAND %{1}@kroenchenstadt.de (20) --> 20082105@kroenchenstadt.de (20) User-Name := "20082105@kroenchenstadt.de" (20) } # update control = noop (20) } # if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) = noop ... (20) sql : EXPAND %{User-Name} (20) sql : --> bla-bla/20082105%kroenchenstadt.de (20) sql : SQL-User-Name set to 'bla-bla/20082105%kroenchenstadt.de' rlm_sql (sql): Reserved connection (4)
It changes control:User-Name to "20082105@kroenchenstadt.de", the expansion in the second part used User-Name without a list prefix, which defaults to request:User-Name. Update on of these two statements and you're fine.
Updated to 'request:User-Name' which perfectly does what I need. Thank you a lot!!
So, filter in policy.d doesn't really *apply* it as I get from
(20) } # if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) = noop (20) } # filter_username filter_username = noop
That makes no sense to me because I didn't tell it to noop.
noop is a kind of return value used in unlang. You could add a more explicit value by specifying it:
if (User-Name =~ /bla-bla\/([^%%]+)%%kroenchenstadt.de/) { ... update control block updated }
Using this will make it show as "updated". But as long as there is no direct check for the return value, they're not that useful and can be safely omitted.
Okay, I see. Didn't recognize it as return value but rather as kind of 'result of command', which seemed a bit weird given that a few lines up it said to have rewritten that string it should rewrite. Thanks for clarification. Best, Bernd
Hi list, with your help I solved following problem in fall last year. I'll include that information because it may be connected to my current problem. I'm running into an issue that somerealm/01234@vpn.kroenchenstade.de is being accounted into MySQL and logfiles (radacct) while somerealm/01234@newtest.kroenchenstade.de.com *is* able to log in (radius.log shows it) but (after disconnect) is *not* logged anywhere (neither MySQL nor in radacct). What am I missing? Thanks in advance, Bernd --- On 2015-10-13 14:12, Bernd wrote:
Am 2015-10-12 17:30, schrieb Herwin Weststrate:
On 12-10-15 17:12, Bernd wrote:
The code itself seems to work, thanks a lot! However, it still sends a "=25" (which originates from the forbidden character "%" regarding its use within a MySQL setup) to the MySQL:
(20) if (&User-Name =~ /@\\./) (20) if (&User-Name =~ /@\\./) -> FALSE (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) (20) EXPAND bla-bla/([^%%]+)%%kroenchenstadt.de (20) --> bla-bla/([^%]+)%kroenchenstadt.de (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) -> TRUE (20) if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) { (20) update control { (20) EXPAND %{1}@kroenchenstadt.de (20) --> 20082105@kroenchenstadt.de (20) User-Name := "20082105@kroenchenstadt.de" (20) } # update control = noop (20) } # if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) = noop ... (20) sql : EXPAND %{User-Name} (20) sql : --> bla-bla/20082105%kroenchenstadt.de (20) sql : SQL-User-Name set to 'bla-bla/20082105%kroenchenstadt.de' rlm_sql (sql): Reserved connection (4)
It changes control:User-Name to "20082105@kroenchenstadt.de", the expansion in the second part used User-Name without a list prefix, which defaults to request:User-Name. Update on of these two statements and you're fine.
Updated to 'request:User-Name' which perfectly does what I need.
Thank you a lot!!
So, filter in policy.d doesn't really *apply* it as I get from
(20) } # if (User-Name =~ /bla\-bla\/([^%%]+)%%kroenchenstadt.de/) = noop (20) } # filter_username filter_username = noop
That makes no sense to me because I didn't tell it to noop.
noop is a kind of return value used in unlang. You could add a more explicit value by specifying it:
if (User-Name =~ /bla-bla\/([^%%]+)%%kroenchenstadt.de/) { ... update control block updated }
Using this will make it show as "updated". But as long as there is no direct check for the return value, they're not that useful and can be safely omitted.
Okay, I see. Didn't recognize it as return value but rather as kind of 'result of command', which seemed a bit weird given that a few lines up it said to have rewritten that string it should rewrite. Thanks for clarification.
On 2016-02-18 11:09, Bernd wrote:
Hi list,
Hi again, pls ignore my last mail. tcpdump showed that upstream ISP does not send any stop record... Best, Bernd
with your help I solved following problem in fall last year. I'll include that information because it may be connected to my current problem.
I'm running into an issue that
somerealm/01234@vpn.kroenchenstade.de is being accounted into MySQL and logfiles (radacct)
while
somerealm/01234@newtest.kroenchenstade.de.com
*is* able to log in (radius.log shows it) but (after disconnect) is *not* logged anywhere (neither MySQL nor in radacct).
What am I missing?
Thanks in advance,
Bernd
Hi List, Based on a previous thread (hints file based rewrite does not work (migration from freeradius 1.1.x to 3.0.x) I've been considering the following... In 2.x I used the "users" file to direct different types of NAS' to different virtual servers, based on some unique attribute. In 3.0.10, should I be doing this in default/authorize, as Alan instructed below? Examples: # uw-unsecured SSID DEFAULT Aruba-Essid-Name == "uw-unsecured", Proxy-To-Realm := "UW_UNSECURED_REALM" # NG TEST REALM DEFAULT Aruba-Essid-Name == "uw-nsd", Proxy-To-Realm := "UW_UNSECURED_REALM" #VPN DEFAULT Tunnel-Client-Endpoint == "%{request:Calling-Station-ID}", Proxy-To-Realm := "VPN_REALM" #CR-VPN DEFAULT Called-Station-Id == "10.10.10.10", Proxy-To-Realm := "VPN_REALM" #CN-VPN - OUTSIDE DEFAULT Called-Station-Id == "10.10.10.11", Proxy-To-Realm := "VPN_REALM" #802.1x DEFAULT NAS-Port-Type == Ethernet, Proxy-To-Realm := "LOCAL" Thanks, Dave -----Original Message----- From: Alan DeKok <aland@deployingradius.com<mailto:Alan%20DeKok%20%3caland@deployingradius.com%3e>> Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org<mailto:FreeRadius%20users%20mailing%20list%20%3cfreeradius-users@lists.freeradius.org%3e>> Subject: Re: hints file based rewrite does not work (migration from freeradius 1.1.x to 3.0.x) Date: Mon, 12 Oct 2015 08:58:41 -0400 On Oct 12, 2015, at 6:09 AM, Bernd <bernd@kroenchenstadt.de<mailto:bernd@kroenchenstadt.de>> wrote:
we're about to move from a freeradius (freeradius-1.1.3-1.6.el5 on CentOS 5) to a HA freeradius (freeradius-3.0.4-6.el7.x86_64 on CentOS 7) environment.
We're almost there, however, I ran into an issue: I have to rewrite an "%" character to "@". My 'hints' file on the old installation did this perfectly well:
DEFAULT User-Name =~ "bla\-bla\/([^%]+)%kroenchenstadt.de" User-Name := "%{1}@kroenchenstadt.de<mailto:%{1}@kroenchenstadt.de>"
Don't use "hints" for that. Just put the configuration into the "authorize" section, in "unlang". if (User-Name =~ /bla\-bla\/([^%]+)%kroenchenstadt.de/) { update control { User-Name := "%{1}@kroenchenstadt.de<mailto:%{1}@kroenchenstadt.de>" } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 13, 2015, at 7:56 AM, David Aldwinckle <daldwinc@uwaterloo.ca> wrote:
Hi List,
Based on a previous thread (hints file based rewrite does not work (migration from freeradius 1.1.x to 3.0.x) I've been considering the following...
In 2.x I used the "users" file to direct different types of NAS' to different virtual servers, based on some unique attribute. In 3.0.10, should I be doing this in default/authorize, as Alan instructed below?
The "users" file didn't move to the "authorize" section of the default virtual server, The users file moved to raddb/mods-config/files/authorize. And for various reasons, regular expressions don't work in that file. The file still exists, and can be used exactly the same as in v2... just without regular expressions. Alan DeKok.
Ah, I was asking if I *should* move the config, not stating that the file itself was moved. Reading the post again, I was unclear. Anyway, you've answered my question. Thanks Alan. Dave -----Original Message----- From: Alan DeKok <aland@deployingradius.com> Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: "users" defaults move to authorize? Date: Tue, 13 Oct 2015 08:20:25 -0400 On Oct 13, 2015, at 7:56 AM, David Aldwinckle <daldwinc@uwaterloo.ca> wrote:
Hi List,
Based on a previous thread (hints file based rewrite does not work (migration from freeradius 1.1.x to 3.0.x) I've been considering the following...
In 2.x I used the "users" file to direct different types of NAS' to different virtual servers, based on some unique attribute. In 3.0.10, should I be doing this in default/authorize, as Alan instructed below?
The "users" file didn't move to the "authorize" section of the default virtual server, The users file moved to raddb/mods-config/files/authorize. And for various reasons, regular expressions don't work in that file. The file still exists, and can be used exactly the same as in v2... just without regular expressions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Bernd -
David Aldwinckle -
Herwin Weststrate