Nas-IP-Address regexp matching in hints/huntgroups working in 2.2.0 and not in 3.0.13

Gianni Costanzi gianni.costanzi at gmail.com
Wed Dec 6 17:06:52 CET 2017


Hi,
I'm configuring a Freeradius 3.0.13 server and I'm testing the
configuration we have on a 2.2.0 Freeradius.

On our 2.2.0 we've implemented some entries like the following one within
the hints file:

DEFAULT User-Name =~ "^(xx[e0][0-9]{3})$", NAS-IP-Address !~
"10\.10\.1\.11[89]$", NAS-IP-Address !~ "10\.10\.2\.(10|20)$"
        User-Name := "%{User-Name}@imp"

(If you are wondering why we have multiple "NAS-IP-Address !~" on a single
line is because we've reached the maximum length for the string passed to
!~ and so we've split the string in multiple "NAS-IP-Address !~" blocks)

The behavior we've implemented is: if username matches the regexp and
NAS-IP-Address does not match any of the regexps on the same line, then add
a realm to the username.

The above configuration does not give any error but it does not work on
3.0.13. The same happens with huntgroups where regexp matching on
NAS-IP-Address like the following one does not work anymore:

brocade-fos     NAS-IP-Address =~ "10\.10\.[18]8\.2[34]$"

I've noticed that regexp matching within hints file works on User-Name, in
fact the following cfg works and matches an access from user xx0123 when
NAS-IP-Address is different from 10.10.1.118 and 10.10.1.254:

DEFAULT User-Name =~ "^(fc[e0][0-9]{3})$", NAS-IP-Address != "10.10.1.118",
NAS-IP-Address != "10.10.1.254"

This solution is really much more verbose, because without regexp matching
I would need to add tens of "NAS-IP-Address != x.x.x.x" entries (I don't
know if there is a limit to their number) instead of using regexp to make
the whole thing more compact.

So my questions are:
1) should regexp matching work within hints and huntgroups file for
NAS-IP-Address in 3.0.13 as it worked in 2.2.0?
2) if they do not work anymore, how should I implement "if you are user
XXXX (with regexp) and the NAS-IP-Address is not one of the listed ones,
then do User-Name manipulation?

Best regards,
    Gianni Costanzi


More information about the Freeradius-Users mailing list