Nas-IP-Address regexp matching in hints/huntgroups working in 2.2.0 and not in 3.0.13

Gianni Costanzi gianni.costanzi at gmail.com
Fri Dec 15 12:29:59 CET 2017


On Thu, Dec 7, 2017 at 6:24 PM, Alan Buxey <alan.buxey at gmail.com> wrote:

> authorize section of the default virtual server for a vanilla install.
> AFTER the modules that service the request but before the first calls to eg
> pap and EAP etc
>
> alan
>
> > if (User-Name =~ /^(xx[e0][0-9]{3})$/) \
> >       && NAS-IP-Address !~ /10\.10\.1\.11[89]$/ \
> >       && NAS-IP-Adddress !~ /10\.10\.2\.(10|20)$/)
> > {
> >      User-Name := "%{User-Name}@imp"
> > }
> >
> > If this should work, I still don't know in which configuration file I
> > should put this code in order to manipulate the User-Name in the
> > preprocessing step, before authentication on SQL/files happens.
> >
> > Best regards,
> >     Gianni Costanzi
>
>
Hi,
I've tried to add the following code within authorize section of default
virtual server, just after the preprocess directive:

         preprocess

        if (&User-Name =~ /^AAAAA$/) {
                update request {
                        &User-Name := "BBBBB"
                }
        }

It seems to work (radius debug says noop for that block of code but the
User-Name is correctly translated from AAAA to BBBB).

So I've tried to implement the code I need to replicate what I was using in
older Freeradius:

        if (&User-Name =~ /^(xx[e0][0-9]{3})$/ \
                && NAS-IP-Address !~ /REGEXP/ \
                && NAS-IP-Address !~ /REGEXP/ \
                && NAS-IP-Address !~ /REGEXP/ \
                [...]
                && NAS-IP-Address !~ /REGEXP/ \
                && NAS-IP-Address !~ /REGEXP/ {
                update request {
                        &User-Name := "%{User-Name}@myrealm"
                }
        }

The problem now is that there are too many conditions and radius server
does not start:

including configuration file /etc/raddb/sites-enabled/default
/etc/raddb/sites-enabled/default[273]: Reference "(&User-Name =~
/^(xx[e0][0-9]{3})$/           && NAS-IP-Address !~ [...]
               [...]&& NAS-IP-Address !~ /REGEXP/ ) " is too long
Failed expanding section name
/etc/raddb/sites-enabled/default[326]: Failed allocating memory for section
Errors reading or parsing /etc/raddb/radiusd.conf

If I reduce the number of "&& NAS-IP-Address" rows it works.

I'd like to implement the following work-around code, splitting the check
of NAS-IP-Addresses in multiple If blocks, but I need your help to tell me
if and how I can set a temporary variable match_found:

   if (&User-Name =~ /^(xx[e0][0-9]{3})$/) {
match_found = 0
if (NAS-IP-Address =~ /REGEXP/ \
            && NAS-IP-Address =~ /REGEXP/ \
            && NAS-IP-Address =~ /REGEXP/ \) {
            match_found = 1
        }
        [...]
        if (NAS-IP-Address =~ /REGEXP/ \
            && NAS-IP-Address =~ /REGEXP/ \
            && NAS-IP-Address =~ /REGEXP/ \) {
            match_found = 1
        }

        if (match_found == 0) {
        update request {
        &User-Name := "%{User-Name}@myrealm"
        }
        }
    }

The logic would be the same, change the Username only if it matches the
username regexp and does not match any of the NAS-IP-Address regexps.
Can I allocate a temporary variable like match_found? It doesn't work as
I've written above (/etc/raddb/sites-enabled/default[273]: Errors parsing
authorize section.).
Furthermore, could I have the same "memory allocation for section" error
even with the code above? I don't know how radius is working behind the
scenes with this
Unlang code, so I need your help.

Best regards, thank you in advance for any help
    Gianni Costanzi


More information about the Freeradius-Users mailing list