Proxy / reply translation

Alan Buxey alan.buxey at gmail.com
Sat Nov 11 21:42:27 CET 2017


Not that remote server, just spin up another server that this one talks to,
replying back with such results.

Run in full debug mode, you should see contents of packets, since this
isn't in the post-proxy or post-auth (as you are putting things in during
Auth stage and checking/changing them there - which isn't how the real
server would behave or be configured) the check you make will be different
too

alan

On 11 Nov 2017 8:17 pm, "Richard J Palmer" <richard at merula.net> wrote:

> Hi
>
> I can almost certainly test this with the remote radius server - I am just
> waiting for the remote server to be configured to allow me access - and in
> the mean time was trying to test my config locally.
>
> From the log
>
> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>
> ERROR: Failed retrieving values required to evaluate condition
>
> I assume that &Cisco-AVPair is not available here and I should be using
> something else (or I could have totally the wrong reason).
>
> Ultimately the aim was to check if what had written worked before I had
> access to the upstream server. If it's easier just to wait I shall.
>
> Thanks in advance
>
> Richard
>
>
>
>
> On Saturday 11/11/2017 at 7:39 pm, Alan Buxey  wrote:
>
>> Best test would be to have a remote radius server sending back replies
>> like
>> you will have as using some local stuff added via SQL isn't going to be
>> the
>> same , goes through different sections,
>>
>> alan
>>
>> On 11 Nov 2017 7:33 pm, "Richard J Palmer" <richard at merula.net> wrote:
>>
>>
>>> HI Alan
>>>
>>> I will be using it for Proxy. However I was trying to test / use this
>>> locally as well while debugging the server / code.
>>>
>>> Ideally it would be nice to allow both options to work but I am flexible
>>> if it's easier just to use this for requests that are proxied
>>>
>>> Thanks
>>>
>>> Richard
>>>
>>>
>>>
>>>
>>> On Saturday 11/11/2017 at 7:14 pm, Alan Buxey  wrote:
>>>
>>>
>>>> You say you need to modify a reply from their radius server - this will
>>>> be
>>>> in the post-proxy section?
>>>>
>>>> Also  if (&reply:Cisco-AVPair ...  ?
>>>>
>>>> alan
>>>>
>>>>
>>>> On 11 Nov 2017 6:37 pm, "Richard J Palmer" <richard at merula.net> wrote:
>>>>
>>>> Hi
>>>>
>>>> Sorry for the delay. I am getting close with this I think... BUT
>>>> something
>>>> seems to be slightly wrong.
>>>>
>>>> Happy to post a full log as needed - BUT I hope the bit I need is here:
>>>>
>>>> (2) sql1:   Framed-Route = ""
>>>> (2) sql1:   Framed-IP-Address = 1.2.3.1
>>>> (2) sql1:   Framed-IP-Netmask = 255.255.255.248
>>>> (2) sql1:   Cisco-AVPair += "ip:route=1.2.3.0 255.255.255.248"
>>>> (2) sql1:   Filter-Id = "P"
>>>> (2) sql1:   Chargeable-User-Identity = "richard2"
>>>>
>>>> <group SQL statements>
>>>>
>>>> (2) sql1: Group "Hotspot": Merging reply items
>>>> (2) sql1:   Acct-Interim-Interval = 600
>>>>
>>>> (2)       [sql1] = ok
>>>> (2)     } # redundant = ok
>>>> (2)     policy rewrite_routes {
>>>> (2)       if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>> (2)       ERROR: Failed retrieving values required to evaluate condition
>>>> (2)     } # policy rewrite_routes = ok
>>>>
>>>> (2) Login OK: [richard2] (from client local port 1)
>>>> (2) Sent Access-Accept Id 69 from 127.0.0.1:1645 to 127.0.0.1:48919
>>>> length 0
>>>> (2)   Framed-IP-Address = 1.2.3.1
>>>> (2)   Framed-IP-Netmask = 255.255.255.248
>>>> (2)   Cisco-AVPair = "ip:route=1.2.3.0 255.255.255.248"
>>>> (2)   Filter-Id = "P"
>>>> (2)   Chargeable-User-Identity = "richard2"
>>>> (2)   Acct-Interim-Interval = 600
>>>> (2) Finished request
>>>>
>>>>
>>>> In my authorise section I have placed:
>>>>
>>>> redundant {
>>>>                    sql1
>>>>                    sql2
>>>>                    handled
>>>>            }
>>>> #     -sql
>>>>            rewrite_routes
>>>>
>>>> (The other sections are there - this is just to show where what I hope
>>>> is
>>>> relevant. The code itself is based on the code provided below
>>>>
>>>> rewrite_routes  {
>>>>
>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>> switch "%{2}" {
>>>>            case "255.255.255.255" {
>>>>                    update reply {
>>>>                        Framed-Route = "%{1}/32"
>>>>                }
>>>>            }
>>>>            case "255.255.255.254" {
>>>>                    update reply {
>>>>                        Framed-Route = "%{1}/31"
>>>>                    }
>>>>            }
>>>>
>>>>
>>>> and so on (it is in the policy.d folder)
>>>>
>>>> I am aware the key to this is the error
>>>>
>>>> (2)       ERROR: Failed retrieving values required to evaluate condition
>>>>
>>>> What I am unclear about is why this is failing / and what I have done
>>>> wrong
>>>> here to cause this. If you can give me one more pointer here I'd
>>>> appreciate
>>>> it
>>>>
>>>> More than happy to send any of the extra config or log as needed
>>>>
>>>> Thanks in advance
>>>>
>>>> Richard
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Thursday 09/11/2017 at 1:35 pm, Alan DeKok  wrote:
>>>>
>>>>
>>>>
>>>>> On Nov 9, 2017, at 8:19 AM, Richard J Palmer <richard at merula.net>
>>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> This is where my skills are not great (regex) most other areas I can
>>>>>> work
>>>>>> with. Ultimately I am happy to pay someone to help write the little
>>>>>> bit
>>>>>> of
>>>>>> code that does this. I do need to cope with Netmasks from  /32 to /24
>>>>>> so a
>>>>>> few switch cases.
>>>>>>
>>>>>>
>>>>>>                It shouldn't be difficult.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Alternatively if someone can provide a few pointers on that bit I can
>>>>>> probably build from there.
>>>>>>
>>>>>>
>>>>>>                If you have:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>                                Cisco-AVPair = "ip:route=1.2.3.1
>>>>>>>> 255.255.255.240"
>>>>>>>>
>>>>>>>>
>>>>>>>>                Step 1, split it into pieces:
>>>>>>>
>>>>>>
>>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>>
>>>>>                This matches the "ip:route" prefix.  It then matches
>>>>> non-space
>>>>> data,
>>>>> then a space, and more non-space data.  As per the FR documentation,
>>>>> the
>>>>> first match goes into %{1}, and the second into %{2}.
>>>>>
>>>>>                As there are only a limited number of net masks, you
>>>>> can expand
>>>>> the net
>>>>> mask, and switch over it (inside of the "if" block from above)
>>>>>
>>>>> switch "%{2}" {
>>>>> case "255.255.255.255" {
>>>>> update reply {
>>>>> Framed-Route = "%{1}/32"
>>>>> }
>>>>> }
>>>>>
>>>>> case "255.255.255.254" {
>>>>> update reply {
>>>>> Framed-Route = "%{1}/31"
>>>>> }
>>>>> }
>>>>>
>>>>> case "255.255.255.252" {
>>>>> update reply {
>>>>> Framed-Route = "%{1}/30"
>>>>> }
>>>>> }
>>>>>
>>>>> ... etc...
>>>>>
>>>>> # and the "catch all" case, just mash it to /28
>>>>> case {
>>>>> update reply {
>>>>> Framed-Route = "%{1}/28"
>>>>> }
>>>>> }
>>>>> }
>>>>>
>>>>>                A little verbose, but it should work.
>>>>>
>>>>>                Alan DeKok.
>>>>>
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>> /users.html
>>>>>
>>>>>
>>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>> /users.html
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>> /users.html
>>>>
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html


More information about the Freeradius-Users mailing list