verifying "/" exists in User-Password field

Geoff Silver geoff+freeradius at
Mon Jul 24 22:29:32 CEST 2006

Phil Mayers wrote:
> Geoff Silver wrote:
> # Cisco NAS doing username/password authentication, proxied to another
> bob Huntgroup-Name=="Office", Hint==Port-1645,  Proxy-To-Realm:=UAS
>     Connect-Info="OFFICE_ACCESS"
> I take it these are PAP requests?


> If not, it can't be done.
> If so, this works for me:
> user User-Password=~".*/.*", Some-Stuff := whatever

Cool.  So is there an easy way to combine that with the dynamic hint I'm 
already creating, since I'm already applying a hint?  If I change my hint to:

DEFAULT         User-Name =~ "^(.*)$", User-Password =~ ".*/.*"
                 Hint = "Port-%{request:Packet-Dst-Port}"

Then connections which use Port-1812 also require a / in the password (which 
will never appear, because when doing SSL authentication, the password is 
always the username).  I tried to "chain" the hints, but that doesn't appear 
to work.  For instance,

DEFAULT         User-Name =~ "^(.*)$"
                 Hint = "Port-%{request:Packet-Dst-Port}"

DEFAULT         Hint = "Port-1645", User-Password =~ ".*/.*"
                 Hint = "HasSlash"

Appears to match the first hint, but not the second one (radius_xlat prints 
'Port-1645' when running radiusd in debug mode, but the users file tries to 
match Hint==Port-1645, not Hint==HasSlash - all of which I actually expected 
to happen).  I can kind of make it work by doing the following:

DEFAULT         User-Password =~ ".*/.*"
                 Hint = "HasSlash"

DEFAULT         User-Name =~ "^(.*)$"
                 Hint = "Port-%{request:Packet-Dst-Port}"

and then *assuming* if the password has a / it must have also come in on UDP 
port 1645 as well, and if not then let the second rule apply, but that answer 
feels very unclean to me.  All of this would be far easier if I could use the 
%{request:} macros on the LHS of a hint, of course.

Geoff Silver

More information about the Freeradius-Users mailing list