Semantics of !~ operator

Gerald Vogt vogt at spamcop.net
Tue Apr 28 14:56:38 CEST 2015


I reverted everything back to my own ssid policy but now tried the 
following at the beginning of the inner-tunnel authorize section:

--- /etc/raddb/sites-enabled/inner-tunnel	Mon Apr 27 15:08:31 2015
+++ /etc/raddb/sites-enabled/inner-tunnel	Tue Apr 28 14:52:09 2015
@@ -46,6 +46,9 @@
  #  Make *sure* that 'preprocess' comes before any realm if you
  #  need to setup hints for the remote radius server

  authorize {
+	update request {
+		Local-SSID := "%{outer.request:Local-SSID}"
+	}

and that works:

(11)  # Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
(11)    authorize {
(11)    update request {
(11)  EXPAND %{outer.request:Local-SSID}
(11)     --> MYSSID
(11)  	Local-SSID := "MYSSID"
(11)    } # update request = noop

So I guess that should also work with Called-Station-SSID.

Any insights?

-Gerald


On 28/04/15 14:43, Gerald Vogt wrote:
>
>
> On 28/04/15 14:07, Alan DeKok wrote:
>> On Apr 28, 2015, at 7:36 AM, Gerald Vogt <vogt at spamcop.net> wrote:
>>> The default server has the Called-Station-Id attribute, it does
>>> correctly extract the SSID from the Id and it correctly puts it into
>>> the Called-Station-SSID. I even do some checks in unlang based on
>>> that SSID in the outer server and they show results as expected.
>>
>>    Hmm... the TTLS / PEAP code only copies over RADIUS *protocol*
>> attributes.  It doesn't copy anything else.  I suppose that should be
>> documented better.
>>
>>> So I suppose in that context the attribute exists. But it doesn't go
>>> into the inner tunnel. Neither by means of the eap module
>>> copy_request_to_tunnel=yes nor by the added "update request" in the
>>> inner tunnel.
>>
>>    You should be able to do:
>>
>> update request {
>>     Called-Station-SSID := &outer.request:Called-Station-SSID
>> }
>
> It doesn't work. I have tried that and
>
>          update request {
>                  Called-Station-SSID := &outer.Called-Station-SSID
>          }
>
> at the beginning of the inner-tunnel authorize section and neither gets
> any value in the inner tunnel.
>
>>    If that doesn't work, it's likely a bug.
>
> So it's a bug, I guess.
>
>>> Yes. I know that. That's how I did it in the beginning. My own "ssid"
>>> policy does not modify Called-Station-Id and thus I could extract the
>>> SSID in the inner tunnel as well.
>>
>>    Just run the policy in the inner tunnel, not the outer one.
>
> I need the SSID in the outer server, too. So I guess it's back to square
> one and I better use my own policy which simply extracts the SSID. That
> policy I can use on  both servers...
>
> -Gerald
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list