Question regarding multivalued attributes in control list.

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Sep 2 16:41:31 CEST 2011 

On 2 Sep 2011, at 16:25, Olivier Beytrison wrote:

> Thanks Arran for those answers,
> 
>> No your check will not iterate over every instance of a value.
>> 
>> In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl.
> 
> hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or
> i'll simply fall back to rlm_perl. But not on a friday evening, it will
> wait till monday!

Tentative yes :) 

It'll only get truly production ready if people test it and report the bugs. But yes, it's good enough to build configs on, and good enough to test. 

If you do a git-clone then you can establish basic version control with something like:

#!/bin/bash
cd /usr/local/src/freeradius
git pull
make clean
hash=`git log -n 1 --pretty=format:%h`
./configure --prefix="/usr/local/freeradius-$hash" --enable-developer
make
make install
rm /usr/local/freeradius
ln -s "/usr/local/freeradius-$hash" /usr/local/freeradius

Once you find a commit that does all you want, stick with it until there's an official 3.x release and then upgrade. For certain fixes you'll be able to use git cherry-pick to pull in individual commits. 

-Arran


> 
> 
>> -Arran
>> 
>> On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
>> 
>>> Hello,
>>> 
>>> I'm trying since two week to do some multi-valued attribute checking on
>>> my radius infrastructure.
>>> 
>>> I've been looking to checkval, using the "users" file and such but with
>>> no luck.
>>> 
>>> I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
>>> authentication is made against an Novell eDirectory ldap server.
>>> 
>>> I'm fetching a multi-valued attribute from the ldap into the control
>>> list, and based on its content, I set the correct
>>> Airespace-Interface-Name value.
>>> 
>>> At the beginning I was using unlang to match the value, and it works
>>> perfectly since 90% of the people only have one attribute. But some
>>> people have multiple attributes.
>>> 
>>> So far, that's what I've been using :
>>> 
>>> In virtual server, at the end of authorize {}
>>> 
>>>         if (NAS-IP-Address =~ /160\.98\.156\..*/) {
>>>                 $INCLUDE ${confdir}/secure-hefr.policy
>>> 
>>>         }
>>> 
>>> secure-hefr.policy content :
>>> 
>>> 
>>> if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
>>>       update reply {
>>>               Airespace-Interface-Name := "wifi_eia-etu"
>>>       }
>>> }
>>> elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
>>>       update reply {
>>>               Airespace-Interface-Name := "wifi_eia-col"
>>>       }
>>> }
>>> elsif {
>>> }
>>> [ ... ]
>>> 
>>> Some debug from a user who is multi-valued :
>>> 
>>> server eduroam-inner-tunnel-peap {
>>> # Executing section authorize from file
>>> /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
>>> +- entering group authorize {...}
>>> ++[mschap] returns noop
>>> [suffix] Looking up realm "hefr.ch" for User-Name = "didier.perroud at hefr.ch"
>>> [suffix] Found realm "hefr.ch"
>>> [suffix] Adding Realm = "hefr.ch"
>>> [suffix] Authentication realm is LOCAL.
>>> ++[suffix] returns ok
>>> ++[control] returns ok
>>> [eap] EAP packet type response id 11 length 6
>>> [eap] No EAP Start, assuming it's an on-going EAP conversation
>>> ++[eap] returns updated
>>> [auth_log]      expand:
>>> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>>> /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
>>> [auth_log]
>>> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>>> expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
>>> [auth_log]      expand: %t -> Fri Sep  2 15:45:08 2011
>>> ++[auth_log] returns ok
>>> [linelog]       expand: %{Packet-Type} -> Access-Request
>>> [linelog]       expand: %{%{Packet-Type}:-format} -> Access-Request
>>> [linelog]       expand: /var/log/freeradius/linelog ->
>>> /var/log/freeradius/linelog
>>> [linelog]       expand: Requested access: %{User-Name} -> Requested
>>> access: didier.perroud at hefr.ch
>>> ++[linelog] returns ok
>>> ++? if (User-Name =~ /(.*)@.*hefr.ch$/)
>>> ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE
>>> ++? if (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE
>>> ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
>>>       expand: %{1} -> didier.perroud
>>> +++[request] returns ok
>>> ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
>>> ++[files] returns noop
>>> [ldap] performing user authorization for didier.perroud
>>> [ldap]  expand: (uid=%{Stripped-User-Name}) -> (uid=didier.perroud)
>>> [ldap]  expand: ou=courant,ou=people,o=hefr -> ou=courant,ou=people,o=hefr
>>> [ldap] ldap_get_conn: Checking Id: 0
>>> [ldap] ldap_get_conn: Got Id: 0
>>> [ldap] performing search in ou=courant,ou=people,o=hefr, with filter
>>> (uid=didier.perroud)
>>> [ldap] Added the eDirectory password ******* in check items as
>>> Cleartext-Password
>>> [ldap] No default NMAS login sequence
>>> [ldap] looking for check items in directory...
>>> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY ==
>>> "RORG-HEFR-EIFR-TICO-TLCO-$-RSM"
>>> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RORG-MASO-$-RCA"
>>> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY ==
>>> "RACA-TICO-MSEI-MTIC-$-RCA"
>>> [ldap] looking for reply items in directory...
>>> [ldap] hessoRoleMemberKey -> Class =
>>> 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
>>> [ldap] hessoRoleMemberKey -> Class = 0x524f52472d4d41534f2d242d524341
>>> [ldap] hessoRoleMemberKey -> Class =
>>> 0x524143412d5449434f2d4d5345492d4d5449432d242d524341
>>> [ldap] user didier.perroud authorized to use remote access
>>> [ldap] ldap_release_conn: Release Id: 0
>>> ++[ldap] returns ok
>>> [pap] WARNING: Auth-Type already set.  Not setting to PAP
>>> ++[pap] returns noop
>>> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
>>> ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE
>>> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE
>>> ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...}
>>> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
>>> ? Evaluating (control:HESSO-MEMBER-KEY =~
>>> /RORG-HEFR-EIFR-INTR-INFO-.-RSM/) -> FALSE
>>> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
>>> -> FALSE
>>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ )
>>> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) -> FALSE
>>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) -> FALSE
>>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ )
>>> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) -> TRUE
>>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) -> TRUE
>>> +++- entering elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/
>>> ) {...}
>>> 
>>> We can see that it didn't match control:HESSO-MEMBER-KEY =~
>>> /RORG-MASO.*RCA$/ while it has the correct value in the control list.
>>> 
>>> How can I match this multi-valued attribute ?
>>> 
>>> Regards,
>>> Olivier B.
>>> 
>>> -- 
>>> 
>>> Olivier Beytrison
>>> Network & Security Engineer, HES-SO Fribourg
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> 
>> 
>> Arran Cudbard-Bell
>> a.cudbardb at freeradius.org
>> 
>> RADIUS - Half the complexity of Diameter
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> 
>> 
> 
> -- 
> 
> Olivier Beytrison
> Network & Security Engineer, HES-SO Fribourg
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter

More information about the Freeradius-Users mailing list