Multiple policy files
Jonathan Gazeley
Jonathan.Gazeley at bristol.ac.uk
Fri Aug 9 11:40:47 CEST 2013
For a while I've been using FreeRADIUS with a set of includes.d-style
directories that I can drop modules, virtual sites, etc into. This works
well - until today. So far I've only had one included policy file in
use, and the stock policy.conf is commented out. Today I tried to add
another new virtual site which also has a policy file.
Although radiusd -X clearly shows that the new policy file is being
read, my virtual server is unable to call upon policies defined in the file.
On a FreeRADIUS server with no other sites/policies, the new site and
policy work fine, so it appears to be some kind of namespace issue. I've
been through both policy files and there are no namespace clashes. Each
policy file has its own name, e.g. policy eduroam {} and policy rainbow {}.
Unusually, the debug log doesn't seem to be that helpful (it says that
the files have been loaded, and that the policy can't be found by name).
Apologies for the naming scheme - the various sites, modules and
policies we currently manage have been inherited from various authors
and I'm working on overhauling it.
"debug-working.log" is from a FreeRADIUS server using only the new
virtual site, which works.
"debug-not-working.log" is from a full development FreeRADIUS server
with other sites and policies, which does not work.
"policies" is the policy file used with the existing (eduroam) sites
"rainbow.conf" is the new policy that works on its own, but not in
conjunction with other policies.
Can anyone spare a few minutes to cast an eye over the debug output and
see if I've missed something? I spent all yesterday afternoon looking
and this problem and didn't make much progress.
Thanks,
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug-not-working.log
Type: text/x-log
Size: 41480 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130809/997bfcac/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug-working.log
Type: text/x-log
Size: 15741 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130809/997bfcac/attachment-0003.bin>
-------------- next part --------------
# -*- text -*-
policy rainbow {
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~ RADIUS service check
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
service-check {
if (User-name == "radiustest") {
if (!EAP-Message){
update control {
Auth-Type := Accept
}
updated
}
else {
reject
}
}
updated = return
}
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~ AUTHZ SECTION
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# A Pair of policies that query different databases for a rainbow class, the return codes allow
# for use of load-balancing / redundancy.
# done using resilient sql queries (because sql xlat doesn't work with virtual modules)
mac-rainbow-class {
update request {
UOB-Rainbow-Class := "%{rainbowsql:select class from mac_authz where mac = '%{Calling-Station-Id}'::macaddr}"
}
ok
}
rainbow-policy {
# Looks like mac-auth
if (Service-Type == 'Call-Check'){
# Is mac-auth
if (User-Name =~ /[0-9a-f]{12}/){
# Do the DB lookup
mac-rainbow-class
# Now fails if empty
if (UOB-Rainbow-Class == ""){
reject
}
# Always accept mac-auths
update control {
Auth-Type := Accept
}
}
}
# Proper auth
if (EAP-Message){
# Machine auth
if (User-Name =~ /^host\//){
update request {
UOB-Rainbow-Class := "public"
}
}
else {
# Do the DB lookup, is this defunct?
mac-rainbow-class
# If unset, set to default
if (UOB-Rainbow-Class == ""){
update request {
UOB-Rainbow-Class := "guest"
}
}
}
}
}
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~ POST-AUTH SECTION
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Re-direct policy
#
url-redirect {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := "private"
Cisco-AVPair += "url-redirect=http://netmon.isys.bris.ac.uk/static/eek.html"
Cisco-AVPair += "url-redirect-acl=ACL-REDIRECT"
#Cisco-AVPair += "ip:inacl#1=permit ip any 137.222.12.0 255.255.255.0"
}
}
#
# Set rainbow class
#
set-rainbow-reply {
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-Id := "%{UOB-Rainbow-Class}"
}
}
#
# Set wired vlan response
#
vlan_response {
# Exists but empty, ie has gone through mac-auth [not currently used]
if (UOB-Rainbow-Class == ""){
url-redirect
}
# Exists and valid
elsif (UOB-Rainbow-Class){
set-rainbow-reply
}
}
#END
}
-------------- next part --------------
policy eduroam {
mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})
# bristolfixMYrealm {
# if (User-Name =~ /(.+?@)my\\.bristol\\.ac\\.uk$/) {
# update request {
# UOB-Info-Type := 'REWR'
# }
# eduroaminfo
# update request {
# UOB-Info-Type !* ""
# User-Name := "%{1}bristol.ac.uk"
# }
# }
# }
bristolrealmchecks {
update request {
UOB-Info-Type := 'BADR'
}
$INCLUDE conf.d/eduroam-realm-checks.conf
update request {
UOB-Info-Type !* ""
}
} # end of bristolrealmchecks
eduroaminfo-rcvdpacket {
update request {
UOB-Info-Type := 'RCVD'
}
eduroaminfo
update request {
UOB-Info-Type !* ""
}
}
# Add "rewrite.called_station_id" in the "authorize" and "preacct"
# sections.
#rewrite.called_station_id {
#if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
#update request {
#Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
#}
#
## SSID component?
#if ("%{7}") {
#update request {
#Called-Station-Id := "%{Called-Station-Id}:%{7}"
#}
#}
#updated
#}
#else {
#noop
#}
#}
# Add "rewrite.calling_station_id" in the "authorize" and "preacct"
# sections.
create.uob-stripped-mac {
if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
update request {
UOB-Stripped-MAC := "%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
}
updated
}
else {
noop
}
}
create.uob-crypted-mac {
if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
update request {
UOB-Crypted-MAC := "%{tolower:%{1}%{2}%{3}-%{md5:%{3}ae%{5}af%{6}b%{1}e%{4}cd%{2}fb}}"
}
}
if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:eduroam)?$/i) {
update request {
UOB-Short-CSID := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"
}
updated
}
else {
noop
}
}
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
disable_session_resumption {
update control {
Allow-Session-Resumption := No
}
}
blackberry-ssl-bug {
if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
}
}
# Put this at the top of authorise for
# any radius service we provide to another UOB
# department or organisation, where it's possible
# for things to get proxied to JANET
#
# These checks are only things that the partner org
# can break / mis-configure - this doesn't check for
# any user related stuff
partner-eduroam-sanity-checks {
create.uob-stripped-mac
if (!(request:UOB-Stripped-MAC)) {
update reply {
Reply-Message := "Calling-Station-Id absent or invalid - Rejecting request (%{request:UOB-Stripped-MAC})"
}
reject
}
if (!(request:EAP-Message)) {
update reply {
Reply-Message := "No EAP-Message found - Rejecting request"
}
reject
}
if (!(request:Called-Station-Id)) {
update reply {
Reply-Message := "No Called-Station-Id found - Rejecting request (%{request:Called-Station-Id})"
}
reject
}
# if the SSID is indicated in any case
if (request:Called-Station-Id =~ /:eduroam$/i) {
# Ensure it is in fact lower case
if (!(request:Called-Station-Id =~ /:eduroam$/)) {
update reply {
Reply-Message := "Apparently your eduroam SSID is not all lowercase - Rejecting request (%{request:Called-Station-Id})"
}
reject
}
}
}
} # end of policy
More information about the Freeradius-Users
mailing list