Using the class attribute

Stefan A. a.freeradius at premit.de
Fri Aug 1 13:51:56 CEST 2008 

Thank you, Phil,


> 
> >But the class will be expanded to something like %{Class} ->
> >0x44444631323334...., which does not match ^DDF.*
> 
> The Class attribute is defined in the RFCs and the dictionary 
> files as 
> type "octets", which are coerced to their 0xaabbcc 
> representation before 
> string operations (e.g. regexp, database insert) are performed.
> 
> If you're sure you'll only have ascii, you can edit 
> dictionary.rfc2865 
> and change the type of Class from "octets" to "string"
> >

I was thinking about this, but found, that it is more complex in
troubleshooting situations, where I'd be able to distinguish the classes if
I'm using octets.

> >
> >A second Issue:
> >
> >The proxy server beween me and the NAS will request a second 
> radius server
> >in case I have previously accepted the Request.
> 
> ? The request will be authenticated twice?

Yes, Twice.
In the first step at a Billing System and if this accepts, the request will
be send to a customer RADIUS Server.


> 
> >If this second server Accepts the call and adds a class to the accept
> >packet, than it comes to the situation, that I will see the 
> two classes
> 
> Is that permitted under the RFCs?

I Don't see any reason, why not.
Each of the servers has the 'right' to append classes to the accept and the
client must put the classes into the accounting packets.
As the clients are not allowed to interprete (or filter) the classes (and
even Proxy servers aren't) I will be hit by all classes, sent to the client
in all accepts.


> 
> >hitting my accounting server. Beside the proxy-state, the order of
> >attributes is not guaranteed...
> >Will 
> >	DEFAULT	Acct-Status-Type =~".*", Class =~"^DDF:(.*)"
> >Match my class, or will it see the first class in the packet 
> and will then
> >not macht?
> >How can I match for multiple instances of a single attribute?
> 
> It should match; IIRC the regexp will try all all instances of an 
> attribute and stop on first match.
> 

It does not.

I've checked it using hints file:

DEFAULT	Acct-Status-Type =~".*"
	Class += "0x313131",
	Class += "0x323232",
	Fall-Through = Yes

DEFAULT Class =~"^0x313131"
	Fall-Through = Yes

Will Match on line 8



DEFAULT	Acct-Status-Type =~".*"
	Class += "0x323232",
	Class += "0x313131",
	Fall-Through = Yes

DEFAULT Class =~"^0x313131"
	Fall-Through = Yes

Does not match



> >
> >Wold an entry in attr file help... Like this one?:
> >
> >DEFAULT
> >	...
> >	Class =~"^0x444446.*"
> >
> >
> >Thank you.

More information about the Freeradius-Users mailing list