verifying "/" exists in User-Password field
Geoff Silver
geoff+freeradius at uslinux.net
Mon Jul 24 22:29:32 CEST 2006
Phil Mayers wrote:
> Geoff Silver wrote:
>
> # Cisco NAS doing username/password authentication, proxied to another
> bob Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm:=UAS
> Connect-Info="OFFICE_ACCESS"
>
> I take it these are PAP requests?
Yep
> If not, it can't be done.
>
> If so, this works for me:
>
> user User-Password=~".*/.*", Some-Stuff := whatever
Cool. So is there an easy way to combine that with the dynamic hint I'm
already creating, since I'm already applying a hint? If I change my hint to:
DEFAULT User-Name =~ "^(.*)$", User-Password =~ ".*/.*"
Hint = "Port-%{request:Packet-Dst-Port}"
Then connections which use Port-1812 also require a / in the password (which
will never appear, because when doing SSL authentication, the password is
always the username). I tried to "chain" the hints, but that doesn't appear
to work. For instance,
DEFAULT User-Name =~ "^(.*)$"
Hint = "Port-%{request:Packet-Dst-Port}"
DEFAULT Hint = "Port-1645", User-Password =~ ".*/.*"
Hint = "HasSlash"
Appears to match the first hint, but not the second one (radius_xlat prints
'Port-1645' when running radiusd in debug mode, but the users file tries to
match Hint==Port-1645, not Hint==HasSlash - all of which I actually expected
to happen). I can kind of make it work by doing the following:
DEFAULT User-Password =~ ".*/.*"
Hint = "HasSlash"
DEFAULT User-Name =~ "^(.*)$"
Hint = "Port-%{request:Packet-Dst-Port}"
and then *assuming* if the password has a / it must have also come in on UDP
port 1645 as well, and if not then let the second rule apply, but that answer
feels very unclean to me. All of this would be far easier if I could use the
%{request:} macros on the LHS of a hint, of course.
--
Geoff Silver
http://www.bullrunmountain.org/
More information about the Freeradius-Users
mailing list