Multiple policy files

Jonathan Gazeley Jonathan.Gazeley at bristol.ac.uk
Fri Aug 9 11:40:47 CEST 2013


For a while I've been using FreeRADIUS with a set of includes.d-style 
directories that I can drop modules, virtual sites, etc into. This works 
well - until today. So far I've only had one included policy file in 
use, and the stock policy.conf is commented out. Today I tried to add 
another new virtual site which also has a policy file.

Although radiusd -X clearly shows that the new policy file is being 
read, my virtual server is unable to call upon policies defined in the file.

On a FreeRADIUS server with no other sites/policies, the new site and 
policy work fine, so it appears to be some kind of namespace issue. I've 
been through both policy files and there are no namespace clashes. Each 
policy file has its own name, e.g. policy eduroam {} and policy rainbow {}.

Unusually, the debug log doesn't seem to be that helpful (it says that 
the files have been loaded, and that the policy can't be found by name). 
Apologies for the naming scheme - the various sites, modules and 
policies we currently manage have been inherited from various authors 
and I'm working on overhauling it.

"debug-working.log" is from a FreeRADIUS server using only the new 
virtual site, which works.

"debug-not-working.log" is from a full development FreeRADIUS server 
with other sites and policies, which does not work.

"policies" is the policy file used with the existing (eduroam) sites

"rainbow.conf" is the new policy that works on its own, but not in 
conjunction with other policies.

Can anyone spare a few minutes to cast an eye over the debug output and 
see if I've missed something? I spent all yesterday afternoon looking 
and this problem and didn't make much progress.

Thanks,
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug-not-working.log
Type: text/x-log
Size: 41480 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130809/997bfcac/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug-working.log
Type: text/x-log
Size: 15741 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130809/997bfcac/attachment-0003.bin>
-------------- next part --------------
# -*- text -*-
policy rainbow {
    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    #~ RADIUS service check
    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    #
    service-check { 
        if (User-name == "radiustest") {
            if (!EAP-Message){
                update control {
                    Auth-Type := Accept
                }
                updated
            }
            else {
                reject
            }
        }
        updated = return
    }

    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    #~ AUTHZ SECTION
    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    # A Pair of policies that query different databases for a rainbow class, the return codes allow
    # for use of load-balancing / redundancy. 
    # done using resilient sql queries (because sql xlat doesn't work with virtual modules)
    mac-rainbow-class {
        update request {
            UOB-Rainbow-Class := "%{rainbowsql:select class from mac_authz where mac = '%{Calling-Station-Id}'::macaddr}"
        }
        ok
    }

    rainbow-policy {
        # Looks like mac-auth
        if (Service-Type == 'Call-Check'){
            # Is mac-auth
            if (User-Name =~ /[0-9a-f]{12}/){
                # Do the DB lookup
                mac-rainbow-class
                # Now fails if empty
                if (UOB-Rainbow-Class == ""){
                    reject
                }
                # Always accept mac-auths
                update control {
                    Auth-Type := Accept
                }
            }
        }
        # Proper auth
        if (EAP-Message){
            # Machine auth
            if (User-Name =~ /^host\//){
                update request {
                    UOB-Rainbow-Class := "public"
                }
            }
            else {
                # Do the DB lookup, is this defunct?
                mac-rainbow-class
                # If unset, set to default
                if (UOB-Rainbow-Class == ""){
                    update request {
                        UOB-Rainbow-Class := "guest"
                    }
                }
            }
        }
    }
                

    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    #~ POST-AUTH SECTION
    #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    #
    #   Re-direct policy
    #   
    url-redirect {
        update reply {
            Tunnel-Type := "VLAN"
            Tunnel-Medium-Type := "IEEE-802"
            Tunnel-Private-Group-Id := "private"
            Cisco-AVPair += "url-redirect=http://netmon.isys.bris.ac.uk/static/eek.html"
            Cisco-AVPair += "url-redirect-acl=ACL-REDIRECT"
		    #Cisco-AVPair += "ip:inacl#1=permit ip any 137.222.12.0 255.255.255.0"
        }
    }
    #
    #   Set rainbow class
    #
    set-rainbow-reply {
        update reply {
            Tunnel-Type := "VLAN"
            Tunnel-Medium-Type := "IEEE-802"
            Tunnel-Private-Group-Id := "%{UOB-Rainbow-Class}"
        }
    }

    #
    # Set wired vlan response
    #
    vlan_response {
        # Exists but empty, ie has gone through mac-auth [not currently used]
        if (UOB-Rainbow-Class == ""){
            url-redirect
        }
        # Exists and valid
        elsif (UOB-Rainbow-Class){
            set-rainbow-reply
        }
    }

#END
}
-------------- next part --------------
policy eduroam {

	mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})

#	bristolfixMYrealm {
#		if (User-Name =~ /(.+?@)my\\.bristol\\.ac\\.uk$/) {
#			update request {
#				UOB-Info-Type := 'REWR'
#			}
#			eduroaminfo
#			update request {
#				UOB-Info-Type !* ""
#				User-Name := "%{1}bristol.ac.uk"
#			}
#		}
#	}

	bristolrealmchecks {
		update request {
			UOB-Info-Type := 'BADR'
		}
		$INCLUDE conf.d/eduroam-realm-checks.conf
		update request {
			UOB-Info-Type !* ""
		}
	} # end of bristolrealmchecks

	eduroaminfo-rcvdpacket {
                update request {
                        UOB-Info-Type := 'RCVD'
                }
                eduroaminfo
                update request {
                        UOB-Info-Type !* ""
                }
}



        #  Add "rewrite.called_station_id" in the "authorize" and "preacct"
        #  sections.
        #rewrite.called_station_id {
                #if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
                        #update request {
                                #Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
                        #}
			#
                        ## SSID component?
                        #if ("%{7}") {
                                #update request {
                                        #Called-Station-Id := "%{Called-Station-Id}:%{7}"
                                #}
                        #}
                        #updated
                #}
                #else {
                        #noop
                #}
        #}

        #  Add "rewrite.calling_station_id" in the "authorize" and "preacct"
        #  sections.

        create.uob-stripped-mac {
                if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
                        update request {
                                UOB-Stripped-MAC := "%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
                        }
                        updated
                }
                else {
                        noop
                }
        }

        create.uob-crypted-mac {
                if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
                        update request {
                                UOB-Crypted-MAC := "%{tolower:%{1}%{2}%{3}-%{md5:%{3}ae%{5}af%{6}b%{1}e%{4}cd%{2}fb}}"
                        }
                }
                if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:eduroam)?$/i) {
                        update request {
                                UOB-Short-CSID := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"
                        }
                        updated
                }
                else {
                        noop
                }
        }

	do_not_respond {
		update control {
			Response-Packet-Type := Do-Not-Respond
		}
		handled
	}

	disable_session_resumption {
		update control {
			Allow-Session-Resumption := No
		}
	}

	blackberry-ssl-bug {
		if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
		}
	}


	# Put this at the top of authorise for
	# any radius service we provide to another UOB
	# department or organisation, where it's possible
	# for things to get proxied to JANET
	#
	# These checks are only things that the partner org
	# can break / mis-configure - this doesn't check for
	# any user related stuff

	partner-eduroam-sanity-checks {
		create.uob-stripped-mac
		if (!(request:UOB-Stripped-MAC)) {
                	update reply {
                        	Reply-Message := "Calling-Station-Id absent or invalid - Rejecting request (%{request:UOB-Stripped-MAC})"
                	}
                	reject
        	}

        	if (!(request:EAP-Message)) {
                	update reply {
                        	Reply-Message := "No EAP-Message found - Rejecting request"
                	}
                	reject
		}

        	if (!(request:Called-Station-Id)) {
                	update reply {
                        	Reply-Message := "No Called-Station-Id found - Rejecting request (%{request:Called-Station-Id})"
                	}
                	reject
		}

		# if the SSID is indicated in any case
        	if (request:Called-Station-Id =~ /:eduroam$/i) {
			# Ensure it is in fact lower case
        		if (!(request:Called-Station-Id =~ /:eduroam$/)) {
                		update reply {
                        		Reply-Message := "Apparently your eduroam SSID is not all lowercase - Rejecting request (%{request:Called-Station-Id})"
                		}
                		reject
			}
		}
	}
} # end of policy



















More information about the Freeradius-Users mailing list