regular expressions in proxy.conf

Ana Gallardo ana.gallardo.77 at gmail.com
Fri Oct 30 12:09:18 CET 2009 

Hello, I'm using Debian and Freeradius 2.0.4-3.

I want to use a regular expression in proxy.conf file to match any request
that contain the word "domain" in the realm (suffix mode).


### /etc/freeradius/proxy.conf
realm "~(domain)+" {
#      authhost = LOCAL      # not strictly necessary
#      accthost = LOCAL      # not strictly necessary
}

Then, in authorize section I have:

### /etc/freeradius/sites-available/default
authorize {
    preprocess
    mschap
    suffix
    eap {
        ok = return
    }
    if ("%{Realm}" =~ /(temp\.)?domain\.es$/){
        update control {
            Intentos-Reject = ...
        }
    }
    files

    switch "%{Realm}" {
        case "temp.domain.es" {
            sql
        }
        case "domain.es" {
            redundant {
                    ldap2
                    ldap1
                    ldap3
            }
        }
        case {
            update control {
                Auth-Type := Reject
            }
        }
    }

   expiration
    pap
}

And, in users file:

### /etc/freeradius/proxy.conf
DEFAULT Intentos-Reject > 10, Auth-Type := Reject
        Reply-Message = "NUMERO DE INTENTOS FALLIDOS(%{Intentos-Reject})
EXCEDIDO PARA %{%{Stripped-User-Name}:-%{User-Name}}"

My problem is: the Realm that Freeradius add to the request is the regular
expression... Here is my debug information:

rad_recv: Access-Request packet from host 127.0.0.1 port 60112, id=208,
length=68
    User-Name = "XXX at domain.es"
    User-Password = "YYY"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
    rlm_realm: Looking up realm "domain.es" for User-Name = "XXX at domain.es"
    rlm_realm: Found realm "~(domain)+"
    rlm_realm: Adding Stripped-User-Name = "XXX"
    rlm_realm: Adding Realm = "~(domain)+"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++? if ("%{Realm}" =~ /(temp\.)?domain\.es$/)
    expand: %{Realm} -> ~(domain)+
? Evaluating ("%{Realm}" =~ /(temp\.)?domain\.es$/) -> FALSE
++? if ("%{Realm}" =~ /(temp\.)?domain\.es$/) -> FALSE
++[files] returns noop
    expand: %{Realm} -> ~(domain)+
++- entering switch %{Realm}
+++- entering case
++++[control] returns noop
+++- case  returns noop
++- switch %{Realm} returns noop

I can resolve this adding this to proxy.conf:

### /etc/freeradius/proxy.conf

realm "domain.es" {
      authhost = LOCAL      # not strictly necessary
      accthost = LOCAL      # not strictly necessary
}

realm "temp.domain.es" {
      authhost = LOCAL      # not strictly necessary
      accthost = LOCAL      # not strictly necessary
}

realm "~(domain)+" {
      authhost = LOCAL      # not strictly necessary
      accthost = LOCAL      # not strictly necessary
}


But I don't know if that is the best way to resolve my problem, so I would
like to reinforce my decision.

Thanks in advance and sorry for my english.


-- 
____________________

 Ana Gallardo Gómez
____________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091030/df1738c5/attachment.html>

More information about the Freeradius-Users mailing list