radius proxy senario

piston pistonic at yahoo.com
Mon Mar 9 17:46:14 CET 2009 

Thanks Alan

With this:

if ("%{User-Name}" =~ /^ABC\//) {
                update request {
                Realm := 'another_realm'
                }
        }

The regex is working by now, but the other problem exist, the rewrite not working properly.

freeradius acct log shown that:

Tue Mar 10 00:30:54 2009
        Packet-Type = Access-Request
        User-Name = "ABC/userid at my_realm"
        NAS-Port = 101
        NAS-IP-Address = 192.168.168.7
        Stripped-User-Name = "userid at my_realm"
        Realm = "another_realm"

Debug log:

rad_recv: Access-Request packet from host 192.168.168.7 port 3185, id=126, length=65
        User-Name = "ABC/userid at my_realm"
        User-Password = "test"
        NAS-Port = 101
+- entering group authorize {...}
[preprocess]   hints: Matched DEFAULT at 79
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /^ABC\//)
        expand: %{User-Name} -> ABC/userid at my_realm
? Evaluating ("%{User-Name}" =~ /^ABC\//) -> TRUE
++? if ("%{User-Name}" =~ /^ABC\//) -> TRUE
++- entering if ("%{User-Name}" =~ /^ABC\//) {...}
+++[request] returns ok
++- if ("%{User-Name}" =~ /^ABC\//) returns ok
[auth_log]      expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log]      expand: %t -> Tue Mar 10 00:22:03 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ABC] No '/' in User-Name = "userid at my_realm", looking up realm NULL
[ABC] No such realm "NULL"
++[ABC] returns noop


if i modify as

if ("%{User-Name}" =~ /^ABC\//) {
                update request {
                User-Name := 'useris at another_realm'
                }
        }

radcct log:

Tue Mar 10 00:38:39 2009
        Packet-Type = Access-Request
        User-Name = "userid at another_realm"
        NAS-Port = 101
        NAS-IP-Address = 192.168.168.7


Debug log:

rad_recv: Access-Request packet from host 192.168.168.7 port 3226, id=134, length=65
        User-Name = "ABC/userid at my_realm"
        User-Password = "test"
        NAS-Port = 101
+- entering group authorize {...}
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /^ABC\//)
        expand: %{User-Name} -> ABC/userid at my_realm
? Evaluating ("%{User-Name}" =~ /^ABC\//) -> TRUE
++? if ("%{User-Name}" =~ /^ABC\//) -> TRUE
++- entering if ("%{User-Name}" =~ /^ABC\//) {...}
+++[request] returns ok
++- if ("%{User-Name}" =~ /^ABC\//) returns ok
[auth_log]      expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.168.7/auth-detail-20090310
[auth_log]      expand: %t -> Tue Mar 10 00:38:39 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ABC] No '/' in User-Name = "userid at another_realm", looking up realm NULL
[ABC] No such realm "NULL"
++[ABC] returns noop
[suffix] Looking up realm "another_realm" for User-Name = "userid at another_realm"
[suffix] Found realm "another_realm"
[suffix] Adding Stripped-User-Name = "userid"
[suffix] Adding Realm = "another_realm"
[suffix] Proxying request from user userid to realm another_realm
[suffix] Preparing to proxy authentication request to realm "another_realm"

Question is, how to update the user-name accordingly?

Thanks

Piston



----- Original Message ----
From: "A.L.M.Buxey at lboro.ac.uk" <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Monday, March 9, 2009 8:38:25 PM
Subject: Re: radius proxy senario

Hi,

> if ("%{User-Name}" =~ /"^ABC\/"/ ) {

if ("%{User-Name}" =~ /^ABC\// ) {


read a few online regex resources.


> ++? if ("%{User-Name}" =~ /"^ABC\/"/)
>         expand: %{User-Name} -> ABC/userid at my_realm
> ? Evaluating ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE
> ++? if ("%{User-Name}" =~ /"^ABC\/"/) -> FALSE

this clearly states that the regex didnt match. you should scratch your head, ponder
why, then check your regex.  there are some current quirks and bugs in 2.1.3 with
regex - but this sort of form works in 2.1.3 okay ( i have several running)

your summary is right though - logically its all okay in your head - you look
for stuff beginning with ABC and then rewrite that logically (not for real!)
in the engine to be @another_realm which the realm module then handles.

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list