Question on Unlang

Olivier CALVANO o.calvano at gmail.com
Wed Mar 29 16:29:06 CEST 2017 

Hi Brian,

thanks, i think's that files modules is the solution because we have
actually 40 domains and in may we add 150 new domain without sub-subdomains

a question because i have tested but that's don't work. i have:

added in /etc/raddb/modules/subrealm:

files subrealm {
        key = "%{Realm}"
        filename = ${confdir}/Liste-des-Sous-Realm
}


in /etc/raddb/Liste-des-Sous-Realm, i have:
network.local Tmp-String-0 := "Excluded"
admin.local Tmp-String-0 := "Excluded"
wifi.local Tmp-String-0 := "Excluded"

in my /etc/raddb/policy.d/my.conf:

        if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~
/\\.local/) && (&control:Tmp-String-0 != "Excluded") &&
("%{Packet-Src-IP-Address}" == "192.168.20.1")) {
                update reply {
                          <...>
                }
        }
        elsif ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') &&
(&control:Tmp-String-0 != "Excluded") && ("%{Packet-Src-IP-Address}" ==
"192.168.50.1")) {
                update reply {
                          <...>
                }
        }


and when i am connect with @network.local, all time i have:
     ?? Evaluating (&control:Tmp-String-0 != "Excluded") -> TRUE



tested too:
       if ((Tunnel-Server-Endpoint:0[0] != '172.16.1.1') && (User-Name =~
/\\.local/) && ("%{control:Tmp-String-0}" != "Excluded") &&
("%{Packet-Src-IP-Address}" == "192.168.20.1")) {

same result



Last test:
      i have added "subrealm" /etc/raddb/sites-available/default
in post-auth { but no change

I did not do everything right?




i don't know how i can see the value of "Tmp-String-0", they have a
equivalent of "print Tmp-String-0" for see in logs ?

includ:


thanks


2017-03-25 18:36 GMT+01:00 Brian Candler <b.candler at pobox.com>:

> On 25/03/2017 11:54, Olivier CALVANO wrote:
>
>> but for me not a big difference between my actual config and regular
>> expressions.
>> all line ar very very long
>>
>
> If you're only excluding three domains it seems a good enough solution to
> me.
>
> If you want something "data driven" then you can look at the files module:
>
> files subrealm {
>   key = "%{Realm}"
>   filename = ${moddir}/subrealm
> }
>
>
> # subrealm file
> network.local    Tmp-String-0 := "Excluded"
> admin.local    Tmp-String-0 := "Excluded"
> wifi.local    Tmp-String-0 := "Excluded"
>
> then check control:Tmp-String-0 in your policy. However that doesn't do
> *exactly* what your current config does, because your current config would
> match sub-subdomains like user at foo.network.local, and the above doesn't.
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: putty.log
Type: application/octet-stream
Size: 10665 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170329/7ae9d9ed/attachment.obj>

More information about the Freeradius-Users mailing list