Semantics of !~ operator
Gerald Vogt
vogt at spamcop.net
Tue Apr 28 11:28:09 CEST 2015
debug output is usually so long...
The inner-tunnel contains these three lines at the beginning of the authorize section:
update request {
Called-Station-SSID := &outer.Called-Station-SSID
}
This is debug output of one request until before the inner eap. I suppose
it contains everything to show that the copy doesn't work...
Thanks,
Gerald
Received Access-Request Id 10 from 10.25.10.6:60617 to 10.25.10.7:1812 length 306
User-Name = 'anonymous at example.com'
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
Called-Station-Id = '11-22-33-44-55-66:MYSSID'
NAS-IP-Address = 10.25.1.111
EAP-Message = 0x020a009019001703010020327cb8ccaeb663dd0545468e976f6b48440f9c8a24977e16ac9f6b8514ac61961703010060f6103fe7b84b1b708659f1be9b97a9d02c65ec8c22b6db21c119fdd81f9a86d564312fc6938adcbd8d2d72230e184fec81384b2f636bfa901cd5b6692c6aa3989aab4454893f8a23af84eee42ffc91ab4bbf01d4b5d65a2096c664567326d375
State = 0xacb99350a5b38a32e0f8f7523b6eb4d6
Message-Authenticator = 0x500c99f6b6d81d53c6c6d903f716c627
(10) Received Access-Request packet from host 10.25.10.6 port 60617, id=10, length=306
(10) User-Name = 'anonymous at example.com'
(10) Calling-Station-Id = '02-00-00-00-00-01'
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Connect-Info = 'CONNECT 11Mbps 802.11b'
(10) Called-Station-Id = '11-22-33-44-55-66:MYSSID'
(10) NAS-IP-Address = 10.25.1.111
(10) EAP-Message = 0x020a009019001703010020327cb8ccaeb663dd0545468e976f6b48440f9c8a24977e16ac9f6b8514ac61961703010060f6103fe7b84b1b708659f1be9b97a9d02c65ec8c22b6db21c119fdd81f9a86d564312fc6938adcbd8d2d72230e184fec81384b2f636bfa901cd5b6692c6aa3989aab4454893f8a23af84eee42ffc91ab4bbf01d4b5d65a2096c664567326d375
(10) State = 0xacb99350a5b38a32e0f8f7523b6eb4d6
(10) Message-Authenticator = 0x500c99f6b6d81d53c6c6d903f716c627
(10) # Executing section authorize from file /etc/raddb/sites-enabled/default
(10) authorize {
(10) filter_username filter_username {
(10) if (!&User-Name)
(10) if (!&User-Name) -> FALSE
(10) if (&User-Name =~ / /)
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@.*@/ )
(10) if (&User-Name =~ /@.*@/ ) -> FALSE
(10) if (&User-Name =~ /\\.\\./ )
(10) if (&User-Name =~ /\\.\\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\\.$/)
(10) if (&User-Name =~ /\\.$/) -> FALSE
(10) if (&User-Name =~ /@\\./)
(10) if (&User-Name =~ /@\\./) -> FALSE
(10) } # filter_username filter_username = notfound
(10) [preprocess] = ok
(10) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(10) auth_log : --> /var/log/radius/radacct/10.25.10.6/auth-detail-20150428
(10) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.25.10.6/auth-detail-20150428
(10) auth_log : EXPAND %t
(10) auth_log : --> Tue Apr 28 10:55:40 2015
(10) [auth_log] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : Looking up realm "example.com" for User-Name = "anonymous at example.com"
(10) suffix : Found realm "example.com"
(10) suffix : Adding Stripped-User-Name = "anonymous"
(10) suffix : Adding Realm = "example.com"
(10) suffix : Authentication realm is LOCAL
(10) [suffix] = ok
(10) rewrite_called_station_id rewrite_called_station_id {
(10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)
(10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) -> TRUE
(10) if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) {
(10) update request {
(10) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> 11-22-33-44-55-66
(10) Called-Station-Id := "11-22-33-44-55-66"
(10) } # update request = noop
(10) if ("%{8}")
(10) EXPAND %{8}
(10) --> MYSSID
(10) if ("%{8}") -> TRUE
(10) if ("%{8}") {
(10) update request {
(10) EXPAND %{8}
(10) --> MYSSID
(10) Called-Station-SSID := "MYSSID"
(10) } # update request = noop
(10) } # if ("%{8}") = noop
(10) [updated] = updated
(10) } # if (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i) = updated
(10) ... skipping else for request 10: Preceding "if" was taken
(10) } # rewrite_called_station_id rewrite_called_station_id = updated
(10) if ( Huntgroup-Name == "wlan" )
(10) if ( Huntgroup-Name == "wlan" ) -> TRUE
(10) if ( Huntgroup-Name == "wlan" ) {
(10) if ( Called-Station-SSID )
(10) if ( Called-Station-SSID ) -> TRUE
(10) if ( Called-Station-SSID ) {
(10) if ( Called-Station-SSID == "eduroam" && Realm == "NULL" )
(10) if ( Called-Station-SSID == "eduroam" && Realm == "NULL" ) -> FALSE
(10) elsif ( Called-Station-SSID == "MYSSID" && Realm != "NULL" && Realm != "example.com" )
(10) elsif ( Called-Station-SSID == "MYSSID" && Realm != "NULL" && Realm != "example.com" ) -> FALSE
(10) } # if ( Called-Station-SSID ) = updated
(10) ... skipping else for request 10: Preceding "if" was taken
(10) } # if ( Huntgroup-Name == "wlan" ) = updated
(10) ... skipping elsif for request 10: Preceding "if" was taken
(10) eap : Peer sent code Response (2) ID 10 length 144
(10) eap : Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap : Expiring EAP session with state 0x590f140159050ed0
(10) eap : Finished EAP session with state 0xacb99350a5b38a32
(10) eap : Previous EAP request found for state 0xacb99350a5b38a32, released from the list
(10) eap : Peer sent method PEAP (25)
(10) eap : EAP PEAP (25)
(10) eap : Calling eap_peap to process EAP data
(10) eap_peap : processing EAP-TLS
(10) eap_peap : eaptls_verify returned 7
(10) eap_peap : Done initial handshake
(10) eap_peap : eaptls_process returned 7
(10) eap_peap : FR_TLS_OK
(10) eap_peap : Session established. Decoding tunneled attributes
(10) eap_peap : Peap state phase2
(10) eap_peap : EAP type MSCHAPv2 (26)
(10) eap_peap : Got tunneled request
EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465
server default {
(10) eap_peap : Setting User-Name to gerald at example.com
Sending tunneled request
EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'gerald at example.com'
State = 0x590f140159050ed009dc274a52ff2d37
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
NAS-IP-Address = 10.25.1.111
Event-Timestamp = 'Apr 28 2015 10:55:40 CEST'
Called-Station-Id := '11-22-33-44-55-66'
server inner-tunnel {
(10) server inner-tunnel {
(10) Request:
EAP-Message = 0x020a004a1a020a004531b63db2cae3124f4e1093319503802a3e00000000000000007f33f75b68d57a06cc7bce81a291765e6832849db44cdc7b006b32303230383140646b727a2e6465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'gerald at example.com'
State = 0x590f140159050ed009dc274a52ff2d37
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
NAS-IP-Address = 10.25.1.111
Event-Timestamp = 'Apr 28 2015 10:55:40 CEST'
Called-Station-Id := '11-22-33-44-55-66'
(10) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(10) authorize {
(10) update request {
(10) } # update request = noop
(10) [preprocess] = ok
(10) auth_inner_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-inner-detail-%Y%m%d
(10) auth_inner_log : --> /var/log/radius/radacct/10.25.10.6/auth-inner-detail-20150428
(10) auth_inner_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-inner-detail-%Y%m%d expands to /var/log/radius/radacct/10.25.10.6/auth-inner-detail-20150428
(10) auth_inner_log : EXPAND %t
(10) auth_inner_log : --> Tue Apr 28 10:55:40 2015
(10) [auth_inner_log] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : Looking up realm "example.com" for User-Name = "gerald at example.com"
(10) suffix : Found realm "example.com"
(10) suffix : Adding Stripped-User-Name = "gerald"
(10) suffix : Adding Realm = "example.com"
(10) suffix : Authentication realm is LOCAL
(10) [suffix] = ok
(10) update control {
(10) Proxy-To-Realm := 'LOCAL'
(10) } # update control = noop
On 28/04/15 11:09, Arran Cudbard-Bell wrote:
>>> update request {
>>> Called-Station-SSID := &outer.Called-Station-SSID
>>> }
>>
>> I tried that but it doesn't work.
>>
>> I call rewrite_called_station_id after suffix in the authorize section of the default server. I can see it sets Called-Station-SSID correctly.
>
> Mind posting all the debug output? Unless it's super secret...
>
More information about the Freeradius-Users
mailing list