Semantics of !~ operator

Gerald Vogt vogt at spamcop.net
Tue Apr 28 11:28:09 CEST 2015


debug output is usually so long...

The inner-tunnel contains these three lines at the beginning of the authorize section:

         update request {
                 Called-Station-SSID := &outer.Called-Station-SSID
         }

This is debug output of one request until before the inner eap. I suppose
it contains everything to show that the copy doesn't work...

Thanks,

Gerald




Received Access-Request Id 10 from 10.25.10.6:60617 to 10.25.10.7:1812 length 306
	User-Name = 'anonymous at example.com'
	Calling-Station-Id = '02-00-00-00-00-01'
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = 'CONNECT 11Mbps 802.11b'
	Called-Station-Id = '11-22-33-44-55-66:MYSSID'
	NAS-IP-Address = 10.25.1.111
	EAP-Message = 0x020a009019001703010020327cb8ccaeb663dd0545468e976f6b48440f9c8a24977e16ac9f6b8514ac61961703010060f6103fe7b84b1b708659f1be9b97a9d02c65ec8c22b6db21c119fdd81f9a86d564312fc6938adcbd8d2d72230e184fec81384b2f636bfa901cd5b6692c6aa3989aab4454893f8a23af84eee42ffc91ab4bbf01d4b5d65a2096c664567326d375
	State = 0xacb99350a5b38a32e0f8f7523b6eb4d6
	Message-Authenticator = 0x500c99f6b6d81d53c6c6d903f716c627
(10) Received Access-Request packet from host 10.25.10.6 port 60617, id=10, length=306
(10) 	User-Name = 'anonymous at example.com'
(10) 	Calling-Station-Id = '02-00-00-00-00-01'
(10) 	Framed-MTU = 1400
(10) 	NAS-Port-Type = Wireless-802.11
(10) 	Connect-Info = 'CONNECT 11Mbps 802.11b'
(10) 	Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(10) 	NAS-IP-Address = 10.25.1.111
(10) 	EAP-Message = 0x020a009019001703010020327cb8ccaeb663dd0545468e976f6b48440f9c8a24977e16ac9f6b8514ac61961703010060f6103fe7b84b1b708659f1be9b97a9d02c65ec8c22b6db21c119fdd81f9a86d564312fc6938adcbd8d2d72230e184fec81384b2f636bfa901cd5b6692c6aa3989aab4454893f8a23af84eee42ffc91ab4bbf01d4b5d65a2096c664567326d375
(10) 	State = 0xacb99350a5b38a32e0f8f7523b6eb4d6
(10) 	Message-Authenticator = 0x500c99f6b6d81d53c6c6d903f716c627
(10) # Executing section authorize from file /etc/raddb/sites-enabled/default
(10)   authorize {
(10)   filter_username filter_username {
(10)     if (!&User-Name)
(10)     if (!&User-Name)  -> FALSE
(10)     if (&User-Name =~ / /)
(10)     if (&User-Name =~ / /)  -> FALSE
(10)     if (&User-Name =~ /@.*@/ )
(10)     if (&User-Name =~ /@.*@/ )  -> FALSE
(10)     if (&User-Name =~ /\\.\\./ )
(10)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(10)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(10)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(10)     if (&User-Name =~ /\\.$/)
(10)     if (&User-Name =~ /\\.$/)   -> FALSE
(10)     if (&User-Name =~ /@\\./)
(10)     if (&User-Name =~ /@\\./)   -> FALSE
(10)   } # filter_username filter_username = notfound
(10)   [preprocess] = ok
(10)  auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(10)  auth_log :    --> /var/log/radius/radacct/10.25.10.6/auth-detail-20150428
(10)  auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.25.10.6/auth-detail-20150428
(10)  auth_log : EXPAND %t
(10)  auth_log :    --> Tue Apr 28 10:55:40 2015
(10)   [auth_log] = ok
(10)   [chap] = noop
(10)   [mschap] = noop
(10)  suffix : Checking for suffix after "@"
(10)  suffix : Looking up realm "example.com" for User-Name = "anonymous at example.com"
(10)  suffix : Found realm "example.com"
(10)  suffix : Adding Stripped-User-Name = "anonymous"
(10)  suffix : Adding Realm = "example.com"
(10)  suffix : Authentication realm is LOCAL
(10)   [suffix] = ok
(10)   rewrite_called_station_id rewrite_called_station_id {
(10)     if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(10)     if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)  -> TRUE
(10)    if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)  {
(10)     update request {
(10) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10)    --> 11-22-33-44-55-66
(10) 	Called-Station-Id := "11-22-33-44-55-66"
(10)     } # update request = noop
(10)      if ("%{8}")
(10) EXPAND %{8}
(10)    --> MYSSID
(10)      if ("%{8}")  -> TRUE
(10)     if ("%{8}")  {
(10)      update request {
(10) EXPAND %{8}
(10)    --> MYSSID
(10) 	Called-Station-SSID := "MYSSID"
(10)      } # update request = noop
(10)     } # if ("%{8}")  = noop
(10)     [updated] = updated
(10)    } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)  = updated
(10)     ... skipping else for request 10: Preceding "if" was taken
(10)   } # rewrite_called_station_id rewrite_called_station_id = updated
(10)    if ( Huntgroup-Name == "wlan" )
(10)    if ( Huntgroup-Name == "wlan" )  -> TRUE
(10)   if ( Huntgroup-Name == "wlan" )  {
(10)     if ( Called-Station-SSID )
(10)     if ( Called-Station-SSID )  -> TRUE
(10)    if ( Called-Station-SSID )  {
(10)      if ( Called-Station-SSID == "eduroam" && Realm == "NULL" )
(10)      if ( Called-Station-SSID == "eduroam" && Realm == "NULL" )  -> FALSE
(10)      elsif ( Called-Station-SSID == "MYSSID" && Realm != "NULL" && Realm != "example.com" )
(10)      elsif ( Called-Station-SSID == "MYSSID" && Realm != "NULL" && Realm != "example.com" )  -> FALSE
(10)    } # if ( Called-Station-SSID )  = updated
(10)     ... skipping else for request 10: Preceding "if" was taken
(10)   } # if ( Huntgroup-Name == "wlan" )  = updated
(10)    ... skipping elsif for request 10: Preceding "if" was taken
(10)  eap : Peer sent code Response (2) ID 10 length 144
(10)  eap : Continuing tunnel setup
(10)   [eap] = ok
(10)  } #  authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)   authenticate {
(10)  eap : Expiring EAP session with state 0x590f140159050ed0
(10)  eap : Finished EAP session with state 0xacb99350a5b38a32
(10)  eap : Previous EAP request found for state 0xacb99350a5b38a32, released from the list
(10)  eap : Peer sent method PEAP (25)
(10)  eap : EAP PEAP (25)
(10)  eap : Calling eap_peap to process EAP data
(10)  eap_peap : processing EAP-TLS
(10)  eap_peap : eaptls_verify returned 7
(10)  eap_peap : Done initial handshake
(10)  eap_peap : eaptls_process returned 7
(10)  eap_peap : FR_TLS_OK
(10)  eap_peap : Session established.  Decoding tunneled attributes
(10)  eap_peap : Peap state phase2
(10)  eap_peap : EAP type MSCHAPv2 (26)
(10)  eap_peap : Got tunneled request
	EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465
server default {
(10)  eap_peap : Setting User-Name to gerald at example.com
Sending tunneled request
	EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = 'gerald at example.com'
	State = 0x590f140159050ed009dc274a52ff2d37
	Calling-Station-Id = '02-00-00-00-00-01'
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = 'CONNECT 11Mbps 802.11b'
	NAS-IP-Address = 10.25.1.111
	Event-Timestamp = 'Apr 28 2015 10:55:40 CEST'
	Called-Station-Id := '11-22-33-44-55-66'
server inner-tunnel {
(10)  server inner-tunnel {
(10)    Request:
	EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = 'gerald at example.com'
	State = 0x590f140159050ed009dc274a52ff2d37
	Calling-Station-Id = '02-00-00-00-00-01'
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = 'CONNECT 11Mbps 802.11b'
	NAS-IP-Address = 10.25.1.111
	Event-Timestamp = 'Apr 28 2015 10:55:40 CEST'
	Called-Station-Id := '11-22-33-44-55-66'
(10)  # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(10)    authorize {
(10)    update request {
(10)    } # update request = noop
(10)    [preprocess] = ok
(10)   auth_inner_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-inner-detail-%Y%m%d
(10)   auth_inner_log :    --> /var/log/radius/radacct/10.25.10.6/auth-inner-detail-20150428
(10)   auth_inner_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-inner-detail-%Y%m%d expands to /var/log/radius/radacct/10.25.10.6/auth-inner-detail-20150428
(10)   auth_inner_log : EXPAND %t
(10)   auth_inner_log :    --> Tue Apr 28 10:55:40 2015
(10)    [auth_inner_log] = ok
(10)    [chap] = noop
(10)    [mschap] = noop
(10)   suffix : Checking for suffix after "@"
(10)   suffix : Looking up realm "example.com" for User-Name = "gerald at example.com"
(10)   suffix : Found realm "example.com"
(10)   suffix : Adding Stripped-User-Name = "gerald"
(10)   suffix : Adding Realm = "example.com"
(10)   suffix : Authentication realm is LOCAL
(10)    [suffix] = ok
(10)    update control {
(10)  	Proxy-To-Realm := 'LOCAL'
(10)    } # update control = noop


On 28/04/15 11:09, Arran Cudbard-Bell wrote:
>>> update request {
>>> 	Called-Station-SSID := &outer.Called-Station-SSID
>>> }
>>
>> I tried that but it doesn't work.
>>
>> I call rewrite_called_station_id after suffix in the authorize section of the default server. I can see it sets Called-Station-SSID correctly.
>
> Mind posting all the debug output? Unless it's super secret...
>


More information about the Freeradius-Users mailing list