Problems to use regex policy
Jérôme BERTHIER
Jerome.Berthier at inria.fr
Mon Dec 4 12:34:14 CET 2017
Hi,
I have a use case of EAP for which I have to verify that the outer
identify has a realm.
Before writing this verification under a new policy module, I just tried
to use those existing by defaut under policy.d/filter.
I don't know if it is really a mistake but the filter "deny_realms"
seems to be wrong.
I just try to call the filter "deny_realms" under the section authorize
{} of the site default.
I tried with freeradius 3.0.4 and 3.0.13, both packages on centOS 7.3
and 7.4.
In both case, radiusd do not start because of syntax error in regex :
- error on freeradius 3.0.4
/etc/raddb/policy.d/filter[6]: Invalid regular expression @|\: bad
escape sequence at offset 3
- error on freeradius 3.0.13
/etc/raddb/policy.d/filter[6]: Invalid regular expression:
/etc/raddb/policy.d/filter[6]: @|\
/etc/raddb/policy.d/filter[6]: ^ Pattern compilation failed: \ at end
of pattern
The line number 6 is this test :
if (&User-Name && (&User-Name =~ /@|\\/)) {
If I replace it with this test, radiusd starts correctly :
if (&User-Name && (&User-Name =~ /@|\\{1}/)) {
Then, after this first step, I have a second issue with the filter
"filter_username".
I would be interested to use it inside the inner tunnel to sanitize the
inner identity.
One of this tests is always true and I don't understand the reason why :
if (&User-Name =~ /\.\./ ) {
update request {
&Module-Failure-Message += 'Rejected:
User-Name contains multiple ..s'
}
reject
}
Whatever the identity I'm using, the test on double dot caracter is
verified.
I tried to call the filter "filter_username" under the section authorize
{} of the site default or inner-tunnel.
In both cas, It seems to have issue (below log from site default).
Ready to process requests
(0) Received Access-Request Id 0 from 10.10.10.12:36315 to
10.10.11.11:1812 length 146
(0) User-Name = "anonymous at mydomain.fr"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "Test client - app"
(0) EAP-Message = 0x0200001701616e6f6e796d6f757340696e7269612e6672
(0) Message-Authenticator = 0x02df880a5342968b4e6455cc5e5d9841
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> TRUE
(0) if (&User-Name =~ /\.\./ ) {
(0) update request {
(0) &Module-Failure-Message += 'Rejected: User-Name contains
multiple ..s'
(0) } # update request = noop
(0) [reject] = reject
(0) } # if (&User-Name =~ /\.\./ ) = reject
(0) } # if (&User-Name) = reject
(0) } # policy filter_username = reject
(0) } # authorize = reject
(0) Invalid user (Rejected: User-Name contains multiple ..s):
[anonymous at mydomain.fr] (from client app port 0 cli xx-xx-xx-xx-xx-xx)
(0) Using Post-Auth-Type Reject
Later, I will try to use also the filter "filter_inner_identity". Thanks
you for this !
Have a nice day
Regards,
--
Jérôme BERTHIER
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3670 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171204/be952f33/attachment.bin>
More information about the Freeradius-Users
mailing list