Proxy / reply translation

Alan Buxey alan.buxey at gmail.com
Sat Nov 11 20:39:05 CET 2017 

Best test would be to have a remote radius server sending back replies like
you will have as using some local stuff added via SQL isn't going to be the
same , goes through different sections,

alan

On 11 Nov 2017 7:33 pm, "Richard J Palmer" <richard at merula.net> wrote:

> HI Alan
>
> I will be using it for Proxy. However I was trying to test / use this
> locally as well while debugging the server / code.
>
> Ideally it would be nice to allow both options to work but I am flexible
> if it's easier just to use this for requests that are proxied
>
> Thanks
>
> Richard
>
>
>
>
> On Saturday 11/11/2017 at 7:14 pm, Alan Buxey  wrote:
>
>> You say you need to modify a reply from their radius server - this will be
>> in the post-proxy section?
>>
>> Also  if (&reply:Cisco-AVPair ...  ?
>>
>> alan
>>
>>
>> On 11 Nov 2017 6:37 pm, "Richard J Palmer" <richard at merula.net> wrote:
>>
>> Hi
>>
>> Sorry for the delay. I am getting close with this I think... BUT something
>> seems to be slightly wrong.
>>
>> Happy to post a full log as needed - BUT I hope the bit I need is here:
>>
>> (2) sql1:   Framed-Route = ""
>> (2) sql1:   Framed-IP-Address = 1.2.3.1
>> (2) sql1:   Framed-IP-Netmask = 255.255.255.248
>> (2) sql1:   Cisco-AVPair += "ip:route=1.2.3.0 255.255.255.248"
>> (2) sql1:   Filter-Id = "P"
>> (2) sql1:   Chargeable-User-Identity = "richard2"
>>
>> <group SQL statements>
>>
>> (2) sql1: Group "Hotspot": Merging reply items
>> (2) sql1:   Acct-Interim-Interval = 600
>>
>> (2)       [sql1] = ok
>> (2)     } # redundant = ok
>> (2)     policy rewrite_routes {
>> (2)       if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>> (2)       ERROR: Failed retrieving values required to evaluate condition
>> (2)     } # policy rewrite_routes = ok
>>
>> (2) Login OK: [richard2] (from client local port 1)
>> (2) Sent Access-Accept Id 69 from 127.0.0.1:1645 to 127.0.0.1:48919
>> length 0
>> (2)   Framed-IP-Address = 1.2.3.1
>> (2)   Framed-IP-Netmask = 255.255.255.248
>> (2)   Cisco-AVPair = "ip:route=1.2.3.0 255.255.255.248"
>> (2)   Filter-Id = "P"
>> (2)   Chargeable-User-Identity = "richard2"
>> (2)   Acct-Interim-Interval = 600
>> (2) Finished request
>>
>>
>> In my authorise section I have placed:
>>
>> redundant {
>>          sql1
>>          sql2
>>          handled
>>      }
>> #     -sql
>>      rewrite_routes
>>
>> (The other sections are there - this is just to show where what I hope is
>> relevant. The code itself is based on the code provided below
>>
>> rewrite_routes  {
>>
>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>> switch "%{2}" {
>>      case "255.255.255.255" {
>>          update reply {
>>            Framed-Route = "%{1}/32"
>>        }
>>      }
>>      case "255.255.255.254" {
>>          update reply {
>>            Framed-Route = "%{1}/31"
>>          }
>>      }
>>
>>
>> and so on (it is in the policy.d folder)
>>
>> I am aware the key to this is the error
>>
>> (2)       ERROR: Failed retrieving values required to evaluate condition
>>
>> What I am unclear about is why this is failing / and what I have done
>> wrong
>> here to cause this. If you can give me one more pointer here I'd
>> appreciate
>> it
>>
>> More than happy to send any of the extra config or log as needed
>>
>> Thanks in advance
>>
>> Richard
>>
>>
>>
>>
>>
>> On Thursday 09/11/2017 at 1:35 pm, Alan DeKok  wrote:
>>
>>
>>> On Nov 9, 2017, at 8:19 AM, Richard J Palmer <richard at merula.net> wrote:
>>>
>>>
>>>>
>>>> This is where my skills are not great (regex) most other areas I can
>>>> work
>>>> with. Ultimately I am happy to pay someone to help write the little bit
>>>> of
>>>> code that does this. I do need to cope with Netmasks from  /32 to /24
>>>> so a
>>>> few switch cases.
>>>>
>>>>
>>>        It shouldn't be difficult.
>>>
>>>
>>>
>>>> Alternatively if someone can provide a few pointers on that bit I can
>>>> probably build from there.
>>>>
>>>>
>>>        If you have:
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>>                Cisco-AVPair = "ip:route=1.2.3.1 255.255.255.240"
>>>>>>
>>>>>>
>>>>>        Step 1, split it into pieces:
>>>
>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>
>>>        This matches the "ip:route" prefix.  It then matches non-space
>>> data,
>>> then a space, and more non-space data.  As per the FR documentation, the
>>> first match goes into %{1}, and the second into %{2}.
>>>
>>>        As there are only a limited number of net masks, you can expand
>>> the net
>>> mask, and switch over it (inside of the "if" block from above)
>>>
>>> switch "%{2}" {
>>> case "255.255.255.255" {
>>> update reply {
>>> Framed-Route = "%{1}/32"
>>> }
>>> }
>>>
>>> case "255.255.255.254" {
>>> update reply {
>>> Framed-Route = "%{1}/31"
>>> }
>>> }
>>>
>>> case "255.255.255.252" {
>>> update reply {
>>> Framed-Route = "%{1}/30"
>>> }
>>> }
>>>
>>> ... etc...
>>>
>>> # and the "catch all" case, just mash it to /28
>>> case {
>>> update reply {
>>> Framed-Route = "%{1}/28"
>>> }
>>> }
>>> }
>>>
>>>        A little verbose, but it should work.
>>>
>>>        Alan DeKok.
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html

More information about the Freeradius-Users mailing list