Conditional Auth Response?

Vijay amitbutere64 at gmail.com
Wed Feb 12 03:56:31 CET 2014 

Hi Darren,
You don't have to update password to Cisco, Chek your Cisco Asr routers configuration. If configured properly asr router will send Cisco as a password for all ip users.

To update QV values you use SQL concat query and you will get desired result.


Sent from my iPhone

Regards
Vijay 

On 12-Feb-2014, at 7:33 AM, "Darren Ward (darrward)" <darrward at cisco.com> wrote:

> Apologies 
> 
> I'm trying in the authorise section of the default site in sites-enabled:
> 
> So this rule I am hoping to create will see an incoming authorise request for user 192.168.104.10 as an example use the password "cisco" for the authorisation and then proceed to look at the request and if it sees a Cisco-Control-Info attribute set with QV<anynumber> then update the reply which needs to be an access-accept with QV="0" else if there is no QV attribute set then set one to 50Meg
> 
> I'm on a basic Red Hat box so I assume the POSIX regex is * but I have also tried the + from a previous example I found
> 
> authorize {
> 
>        if (User-Name =~ /192.168.*/) {
>             update control {
>                Cleartext-Password := "cisco"
>            }
>            if (Cisco-Control-Info =~ /QV*/) {
>                update reply {
>                    Cisco-Control-Info += "QV0"
>                }
>            }
>            else {
>                update reply {
>                    Cisco-Control-Info += "QV50000000"
>                }
>            }
>        }
> 
> Etc etc
> 
> }
> 
> However in the debug log it doesn't seem to macth any rules in authorisze and 
> 
> rad_recv: Access-Request packet from host 127.0.0.1 port 45778, id=65, length=84
>        User-Name = "192.168.104.10"
>        User-Password = "cisco"
>        NAS-IP-Address = 10.67.21.130
>        NAS-Port = 10
>        Message-Authenticator = 0xf253e291d588b17c3bb0e547c4993af8
> Wed Feb 12 12:57:55 2014 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> Wed Feb 12 12:57:55 2014 : Info: +group authorize {
> Wed Feb 12 12:57:55 2014 : Info: ++[preprocess] = ok
> Wed Feb 12 12:57:55 2014 : Info: ++[chap] = noop
> Wed Feb 12 12:57:55 2014 : Info: ++[mschap] = noop
> Wed Feb 12 12:57:55 2014 : Info: ++[digest] = noop
> Wed Feb 12 12:57:55 2014 : Info: [suffix] No '@' in User-Name = "192.168.104.10", looking up realm NULL
> Wed Feb 12 12:57:55 2014 : Info: [suffix] No such realm "NULL"
> Wed Feb 12 12:57:55 2014 : Info: ++[suffix] = noop
> Wed Feb 12 12:57:55 2014 : Info: [eap] No EAP-Message, not doing EAP
> Wed Feb 12 12:57:55 2014 : Info: ++[eap] = noop
> Wed Feb 12 12:57:55 2014 : Info: ++[files] = noop
> Wed Feb 12 12:57:55 2014 : Info: ++[expiration] = noop
> Wed Feb 12 12:57:55 2014 : Info: ++[logintime] = noop
> Wed Feb 12 12:57:55 2014 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
> Wed Feb 12 12:57:55 2014 : Info: ++[pap] = noop
> Wed Feb 12 12:57:55 2014 : Info: +} # group authorize = ok
> Wed Feb 12 12:57:55 2014 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
> Wed Feb 12 12:57:55 2014 : Info: Failed to authenticate the user.
> Wed Feb 12 12:57:55 2014 : Info: Using Post-Auth-Type REJECT
> Wed Feb 12 12:57:55 2014 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> Wed Feb 12 12:57:55 2014 : Info: +group REJECT {
> Wed Feb 12 12:57:55 2014 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> 192.168.104.10
> Wed Feb 12 12:57:55 2014 : Debug: attr_filter: Matched entry DEFAULT at line 11
> Wed Feb 12 12:57:55 2014 : Info: ++[attr_filter.access_reject] = updated
> Wed Feb 12 12:57:55 2014 : Info: +} # group REJECT = updated
> Wed Feb 12 12:57:55 2014 : Info: Delaying reject of request 0 for 1 seconds
> Wed Feb 12 12:57:55 2014 : Debug: Going to the next request
> Wed Feb 12 12:57:55 2014 : Debug: Waking up in 0.9 seconds.
> Wed Feb 12 12:57:56 2014 : Info: Sending delayed reject for request 0
> Sending Access-Reject of id 65 to 127.0.0.1 port 45778
> 
> 
> -----Original Message-----
> From: freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org [mailto:freeradius-users-bounces+darrward=cisco.com at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: Wednesday, 12 February 2014 12:35 PM
> To: FreeRadius users mailing list
> Subject: Re: Conditional Auth Response?
> 
> Darren Ward (darrward) wrote:
>> Looking for some unlang tutorials I think! :)
> 
>  There are lots of examples in the raddb/ directory.  See also raddb/policy.conf.
> 
>> I'm trying to combine the two factors I need with is to have a macro entry for a common 'anonymous' set of users together with the ability to manipulate the response and so am trying to munge the two responses I received on the separate threads.
> 
>  I'm not sure what that means...
> 
>> I am getting  parse error - expecting operator on the first line so 
>> obviously the if +~ isn't an option
> 
>  The example you pasted below doesn't use +~.
> 
>> Any pointers for me?
> 
>  Where are you putting this text?
> 
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list