Cisco-AVPair regex

[Alan DeKok]

On Jul 14, 2017, at 9:22 AM, Kylián Martin <kylianm at plzen.eu> wrote:
> 
> I'm trying to save some of the Cisco-AVPair attributes into sql while acounting. Specifically, I'm interested in the dhcp-options and http-tlv attributes. WLC describes the connected device in these.
> 
> Unfortunately, Freeradius 3.12 expands these values unregexable way.
> (With_cisco_vsa_hack = yes in preprocess the result is the same)
> Correctly expanded is just Cisco-AVPair = "audit-session-id=1ef1a8c000014809cba76859"

  That's just text.  There shouldn't be a problem.

> Policy file:
> 
> device_regex = '^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)'

  That seems much too complicated.  And doesn't match the Cisco-AVPair you have above.

> (98)   Cisco-AVPair = "dhcp-option=\000\014\000\0056spMK"
> (98)   Cisco-AVPair = "http-tlv=\000\001\000\030iPhone8,2/10.3.2 (14F89)"
> 
> How to regex these ?

  Use a regex library which can handle embedded NUL bytes.

  Regexes normally work on strings.  i.e. printable data. The attributes above are binary, not printable data.

> Both attributes are expanded till first whitespace char

  No, they stop on the first NUL character.  i.e. embedded zero.

> (98)           if ("%{Foreach-Variable-0}" =~ /^((dhcp-option=)|(http-tlv=)){1}([\\].{2,5})([\\].{2,5})([\\].{3})([\\].{3})?(.*)/i)  -> FALSE
> (98)         } # foreach &Cisco-AVPair = updated
> (98)       } # if (&Cisco-AVPair)  = updated
> 
> How to get  text values following whitespaces? 
> I've  already tried                        if ("unescape:%{Foreach-Variable-0}" =~ /${policy.device_regex}/i)  with no luck

  Install pcre, and use it as the regex engine.  It can handle embedded NUL bytes.

  Or, use another method to parse the Cisco-AVPairs.  e.g. rlm_perl.

  Or, use the "unpack" module to unpack binary data.  See raddb/mods-available/unpack for documentation.

  Alan DeKok.