Question regarding multivalued attributes in control list.

Olivier Beytrison olivier at heliosnet.org
Fri Sep 2 16:25:01 CEST 2011 

Thanks Arran for those answers,

> No your check will not iterate over every instance of a value.
> 
> In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl.

hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or
i'll simply fall back to rlm_perl. But not on a friday evening, it will
wait till monday!

> Plus the way you're doing policies is weird. Why don't you just use the policy module (policy.conf)? It'd be way more memory efficient if you're using the same policy multilple times, and you gain the ability to overload module calls...

You're right, i'll move this in the policy file, didn't think about it.

Regards,
Olivier B.

> -Arran
> 
> On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
> 
>> Hello,
>>
>> I'm trying since two week to do some multi-valued attribute checking on
>> my radius infrastructure.
>>
>> I've been looking to checkval, using the "users" file and such but with
>> no luck.
>>
>> I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
>> authentication is made against an Novell eDirectory ldap server.
>>
>> I'm fetching a multi-valued attribute from the ldap into the control
>> list, and based on its content, I set the correct
>> Airespace-Interface-Name value.
>>
>> At the beginning I was using unlang to match the value, and it works
>> perfectly since 90% of the people only have one attribute. But some
>> people have multiple attributes.
>>
>> So far, that's what I've been using :
>>
>> In virtual server, at the end of authorize {}
>>
>>          if (NAS-IP-Address =~ /160\.98\.156\..*/) {
>>                  $INCLUDE ${confdir}/secure-hefr.policy
>>
>>          }
>>
>> secure-hefr.policy content :
>>
>>
>> if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
>>        update reply {
>>                Airespace-Interface-Name := "wifi_eia-etu"
>>        }
>> }
>> elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
>>        update reply {
>>                Airespace-Interface-Name := "wifi_eia-col"
>>        }
>> }
>> elsif {
>> }
>> [ ... ]
>>
>> Some debug from a user who is multi-valued :
>>
>> server eduroam-inner-tunnel-peap {
>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
>> +- entering group authorize {...}
>> ++[mschap] returns noop
>> [suffix] Looking up realm "hefr.ch" for User-Name = "didier.perroud at hefr.ch"
>> [suffix] Found realm "hefr.ch"
>> [suffix] Adding Realm = "hefr.ch"
>> [suffix] Authentication realm is LOCAL.
>> ++[suffix] returns ok
>> ++[control] returns ok
>> [eap] EAP packet type response id 11 length 6
>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>> ++[eap] returns updated
>> [auth_log]      expand:
>> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>> /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
>> [auth_log]
>> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>> expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
>> [auth_log]      expand: %t -> Fri Sep  2 15:45:08 2011
>> ++[auth_log] returns ok
>> [linelog]       expand: %{Packet-Type} -> Access-Request
>> [linelog]       expand: %{%{Packet-Type}:-format} -> Access-Request
>> [linelog]       expand: /var/log/freeradius/linelog ->
>> /var/log/freeradius/linelog
>> [linelog]       expand: Requested access: %{User-Name} -> Requested
>> access: didier.perroud at hefr.ch
>> ++[linelog] returns ok
>> ++? if (User-Name =~ /(.*)@.*hefr.ch$/)
>> ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE
>> ++? if (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE
>> ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
>>        expand: %{1} -> didier.perroud
>> +++[request] returns ok
>> ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
>> ++[files] returns noop
>> [ldap] performing user authorization for didier.perroud
>> [ldap]  expand: (uid=%{Stripped-User-Name}) -> (uid=didier.perroud)
>> [ldap]  expand: ou=courant,ou=people,o=hefr -> ou=courant,ou=people,o=hefr
>>  [ldap] ldap_get_conn: Checking Id: 0
>>  [ldap] ldap_get_conn: Got Id: 0
>>  [ldap] performing search in ou=courant,ou=people,o=hefr, with filter
>> (uid=didier.perroud)
>> [ldap] Added the eDirectory password ******* in check items as
>> Cleartext-Password
>> [ldap] No default NMAS login sequence
>> [ldap] looking for check items in directory...
>>  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY ==
>> "RORG-HEFR-EIFR-TICO-TLCO-$-RSM"
>>  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RORG-MASO-$-RCA"
>>  [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY ==
>> "RACA-TICO-MSEI-MTIC-$-RCA"
>> [ldap] looking for reply items in directory...
>>  [ldap] hessoRoleMemberKey -> Class =
>> 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
>>  [ldap] hessoRoleMemberKey -> Class = 0x524f52472d4d41534f2d242d524341
>>  [ldap] hessoRoleMemberKey -> Class =
>> 0x524143412d5449434f2d4d5345492d4d5449432d242d524341
>> [ldap] user didier.perroud authorized to use remote access
>>  [ldap] ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> [pap] WARNING: Auth-Type already set.  Not setting to PAP
>> ++[pap] returns noop
>> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
>> ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE
>> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE
>> ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...}
>> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
>> ? Evaluating (control:HESSO-MEMBER-KEY =~
>> /RORG-HEFR-EIFR-INTR-INFO-.-RSM/) -> FALSE
>> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
>> -> FALSE
>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ )
>> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) -> FALSE
>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) -> FALSE
>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ )
>> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) -> TRUE
>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) -> TRUE
>> +++- entering elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/
>> ) {...}
>>
>> We can see that it didn't match control:HESSO-MEMBER-KEY =~
>> /RORG-MASO.*RCA$/ while it has the correct value in the control list.
>>
>> How can I match this multi-valued attribute ?
>>
>> Regards,
>> Olivier B.
>>
>> -- 
>>
>> Olivier Beytrison
>> Network & Security Engineer, HES-SO Fribourg
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
> 
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
> 
> RADIUS - Half the complexity of Diameter
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 

-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg

More information about the Freeradius-Users mailing list