radius proxy senario
piston
pistonic at yahoo.com
Mon Mar 9 17:46:14 CET 2009
Thanks Alan
With this:
if ("%{User-Name}" =~ /^ABC\//) {
update request {
Realm := 'another_realm'
}
}
The regex is working by now, but the other problem exist, the rewrite not working properly.
freeradius acct log shown that:
Tue Mar 10 00:30:54 2009
Packet-Type = Access-Request
User-Name = "ABC/userid at my_realm"
NAS-Port = 101
NAS-IP-Address = 192.168.168.7
Stripped-User-Name = "userid at my_realm"
Realm = "another_realm"
Debug log:
rad_recv: Access-Request packet from host 192.168.168.7 port 3185, id=126, length=65
User-Name = "ABC/userid at my_realm"
User-Password = "test"
NAS-Port = 101
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 79
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /^ABC\//)
expand: %{User-Name} -> ABC/userid at my_realm
? Evaluating ("%{User-Name}" =~ /^ABC\//) -> TRUE
++? if ("%{User-Name}" =~ /^ABC\//) -> TRUE
++- entering if ("%{User-Name}" =~ /^ABC\//) {...}
+++[request] returns ok
++- if ("%{User-Name}" =~ /^ABC\//) returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log] expand: %t -> Tue Mar 10 00:22:03 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ABC] No '/' in User-Name = "userid at my_realm", looking up realm NULL
[ABC] No such realm "NULL"
++[ABC] returns noop
if i modify as
if ("%{User-Name}" =~ /^ABC\//) {
update request {
User-Name := 'useris at another_realm'
}
}
radcct log:
Tue Mar 10 00:38:39 2009
Packet-Type = Access-Request
User-Name = "userid at another_realm"
NAS-Port = 101
NAS-IP-Address = 192.168.168.7
Debug log:
rad_recv: Access-Request packet from host 192.168.168.7 port 3226, id=134, length=65
User-Name = "ABC/userid at my_realm"
User-Password = "test"
NAS-Port = 101
+- entering group authorize {...}
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /^ABC\//)
expand: %{User-Name} -> ABC/userid at my_realm
? Evaluating ("%{User-Name}" =~ /^ABC\//) -> TRUE
++? if ("%{User-Name}" =~ /^ABC\//) -> TRUE
++- entering if ("%{User-Name}" =~ /^ABC\//) {...}
+++[request] returns ok
++- if ("%{User-Name}" =~ /^ABC\//) returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log] expand: %t -> Tue Mar 10 00:38:39 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ABC] No '/' in User-Name = "userid at another_realm", looking up realm NULL
[ABC] No such realm "NULL"
++[ABC] returns noop
[suffix] Looking up realm "another_realm" for User-Name = "userid at another_realm"
[suffix] Found realm "another_realm"
[suffix] Adding Stripped-User-Name = "userid"
[suffix] Adding Realm = "another_realm"
[suffix] Proxying request from user userid to realm another_realm
[suffix] Preparing to proxy authentication request to realm "another_realm"
Question is, how to update the user-name accordingly?
Thanks
Piston
----- Original Message ----
From: "A.L.M.Buxey at lboro.ac.uk" <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Monday, March 9, 2009 8:38:25 PM
Subject: Re: radius proxy senario
Hi,
> if ("%{User-Name}" =~ /"^ABC\/"/ ) {
if ("%{User-Name}" =~ /^ABC\// ) {
read a few online regex resources.
> ++? if ("%{User-Name}" =~ /"^ABC\/"/)
> expand: %{User-Name} -> ABC/userid at my_realm
> ? Evaluating ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
> ++? if ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
this clearly states that the regex didnt match. you should scratch your head, ponder
why, then check your regex. there are some current quirks and bugs in 2.1.3 with
regex - but this sort of form works in 2.1.3 okay ( i have several running)
your summary is right though - logically its all okay in your head - you look
for stuff beginning with ABC and then rewrite that logically (not for real!)
in the engine to be @another_realm which the realm module then handles.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list