Proxy / reply translation

Sat Nov 11 20:33:31 CET 2017

HI Alan

I will be using it for Proxy. However I was trying to test / use this 
locally as well while debugging the server / code.

Ideally it would be nice to allow both options to work but I am 
flexible if it's easier just to use this for requests that are proxied

Thanks

Richard

On Saturday 11/11/2017 at 7:14 pm, Alan Buxey  wrote:
> You say you need to modify a reply from their radius server - this 
> will be
> in the post-proxy section?
>
> Also  if (&reply:Cisco-AVPair ...  ?
>
> alan
>
>
> On 11 Nov 2017 6:37 pm, "Richard J Palmer" <richard at merula.net> wrote:
>
> Hi
>
> Sorry for the delay. I am getting close with this I think... BUT 
> something
> seems to be slightly wrong.
>
> Happy to post a full log as needed - BUT I hope the bit I need is 
> here:
>
> (2) sql1:   Framed-Route = ""
> (2) sql1:   Framed-IP-Address = 1.2.3.1
> (2) sql1:   Framed-IP-Netmask = 255.255.255.248
> (2) sql1:   Cisco-AVPair += "ip:route=1.2.3.0 255.255.255.248"
> (2) sql1:   Filter-Id = "P"
> (2) sql1:   Chargeable-User-Identity = "richard2"
>
> <group SQL statements>
>
> (2) sql1: Group "Hotspot": Merging reply items
> (2) sql1:   Acct-Interim-Interval = 600
>
> (2)       [sql1] = ok
> (2)     } # redundant = ok
> (2)     policy rewrite_routes {
> (2)       if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
> (2)       ERROR: Failed retrieving values required to evaluate 
> condition
> (2)     } # policy rewrite_routes = ok
>
> (2) Login OK: [richard2] (from client local port 1)
> (2) Sent Access-Accept Id 69 from 127.0.0.1:1645 to 127.0.0.1:48919 
> length 0
> (2)   Framed-IP-Address = 1.2.3.1
> (2)   Framed-IP-Netmask = 255.255.255.248
> (2)   Cisco-AVPair = "ip:route=1.2.3.0 255.255.255.248"
> (2)   Filter-Id = "P"
> (2)   Chargeable-User-Identity = "richard2"
> (2)   Acct-Interim-Interval = 600
> (2) Finished request
>
>
> In my authorise section I have placed:
>
> redundant {
>          sql1
>          sql2
>          handled
>      }
> #     -sql
>      rewrite_routes
>
> (The other sections are there - this is just to show where what I hope 
> is
> relevant. The code itself is based on the code provided below
>
> rewrite_routes  {
>
> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
> switch "%{2}" {
>      case "255.255.255.255" {
>          update reply {
>            Framed-Route = "%{1}/32"
>        }
>      }
>      case "255.255.255.254" {
>          update reply {
>            Framed-Route = "%{1}/31"
>          }
>      }
>
>
> and so on (it is in the policy.d folder)
>
> I am aware the key to this is the error
>
> (2)       ERROR: Failed retrieving values required to evaluate 
> condition
>
> What I am unclear about is why this is failing / and what I have done 
> wrong
> here to cause this. If you can give me one more pointer here I'd 
> appreciate
> it
>
> More than happy to send any of the extra config or log as needed
>
> Thanks in advance
>
> Richard
>
>
>
>
>
> On Thursday 09/11/2017 at 1:35 pm, Alan DeKok  wrote:
>
>>
>> On Nov 9, 2017, at 8:19 AM, Richard J Palmer <richard at merula.net> 
>> wrote:
>>
>>>
>>>
>>> This is where my skills are not great (regex) most other areas I can 
>>> work
>>> with. Ultimately I am happy to pay someone to help write the little 
>>> bit of
>>> code that does this. I do need to cope with Netmasks from  /32 to /24 
>>> so a
>>> few switch cases.
>>>
>>
>>        It shouldn't be difficult.
>>
>>
>>>
>>> Alternatively if someone can provide a few pointers on that bit I can
>>> probably build from there.
>>>
>>
>>        If you have:
>>
>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>                Cisco-AVPair = "ip:route=1.2.3.1 255.255.255.240"
>>>>>
>>>>
>>        Step 1, split it into pieces:
>>
>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>
>>        This matches the "ip:route" prefix.  It then matches non-space 
>> data,
>> then a space, and more non-space data.  As per the FR documentation, 
>> the
>> first match goes into %{1}, and the second into %{2}.
>>
>>        As there are only a limited number of net masks, you can expand 
>> the net
>> mask, and switch over it (inside of the "if" block from above)
>>
>> switch "%{2}" {
>> case "255.255.255.255" {
>> update reply {
>> Framed-Route = "%{1}/32"
>> }
>> }
>>
>> case "255.255.255.254" {
>> update reply {
>> Framed-Route = "%{1}/31"
>> }
>> }
>>
>> case "255.255.255.252" {
>> update reply {
>> Framed-Route = "%{1}/30"
>> }
>> }
>>
>> ... etc...
>>
>> # and the "catch all" case, just mash it to /28
>> case {
>> update reply {
>> Framed-Route = "%{1}/28"
>> }
>> }
>> }
>>
>>        A little verbose, but it should work.
>>
>>        Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html