Proxy / reply translation

Richard J Palmer richard at merula.net
Sat Nov 11 22:45:19 CET 2017


HI Alan

That makes a lot more sense - I have other servers here feeding from 
that SQL Database so I will proxy to them. Not sure why I didn't think 
of that option!

Thanks again

Richard




On Saturday 11/11/2017 at 8:42 pm, Alan Buxey  wrote:
> Not that remote server, just spin up another server that this one 
> talks to,
> replying back with such results.
>
> Run in full debug mode, you should see contents of packets, since this
> isn't in the post-proxy or post-auth (as you are putting things in 
> during
> Auth stage and checking/changing them there - which isn't how the real
> server would behave or be configured) the check you make will be 
> different
> too
>
> alan
>
> On 11 Nov 2017 8:17 pm, "Richard J Palmer" <richard at merula.net> wrote:
>
>>
>> Hi
>>
>> I can almost certainly test this with the remote radius server - I am 
>> just
>> waiting for the remote server to be configured to allow me access - 
>> and in
>> the mean time was trying to test my config locally.
>>
>> From the log
>>
>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>
>> ERROR: Failed retrieving values required to evaluate condition
>>
>> I assume that &Cisco-AVPair is not available here and I should be 
>> using
>> something else (or I could have totally the wrong reason).
>>
>> Ultimately the aim was to check if what had written worked before I 
>> had
>> access to the upstream server. If it's easier just to wait I shall.
>>
>> Thanks in advance
>>
>> Richard
>>
>>
>>
>>
>> On Saturday 11/11/2017 at 7:39 pm, Alan Buxey  wrote:
>>
>>>
>>> Best test would be to have a remote radius server sending back replies
>>> like
>>> you will have as using some local stuff added via SQL isn't going to 
>>> be
>>> the
>>> same , goes through different sections,
>>>
>>> alan
>>>
>>> On 11 Nov 2017 7:33 pm, "Richard J Palmer" <richard at merula.net> wrote:
>>>
>>>
>>>>
>>>> HI Alan
>>>>
>>>> I will be using it for Proxy. However I was trying to test / use this
>>>> locally as well while debugging the server / code.
>>>>
>>>> Ideally it would be nice to allow both options to work but I am 
>>>> flexible
>>>> if it's easier just to use this for requests that are proxied
>>>>
>>>> Thanks
>>>>
>>>> Richard
>>>>
>>>>
>>>>
>>>>
>>>> On Saturday 11/11/2017 at 7:14 pm, Alan Buxey  wrote:
>>>>
>>>>
>>>>>
>>>>> You say you need to modify a reply from their radius server - this 
>>>>> will
>>>>> be
>>>>> in the post-proxy section?
>>>>>
>>>>> Also  if (&reply:Cisco-AVPair ...  ?
>>>>>
>>>>> alan
>>>>>
>>>>>
>>>>> On 11 Nov 2017 6:37 pm, "Richard J Palmer" <richard at merula.net> wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> Sorry for the delay. I am getting close with this I think... BUT
>>>>> something
>>>>> seems to be slightly wrong.
>>>>>
>>>>> Happy to post a full log as needed - BUT I hope the bit I need is 
>>>>> here:
>>>>>
>>>>> (2) sql1:   Framed-Route = ""
>>>>> (2) sql1:   Framed-IP-Address = 1.2.3.1
>>>>> (2) sql1:   Framed-IP-Netmask = 255.255.255.248
>>>>> (2) sql1:   Cisco-AVPair += "ip:route=1.2.3.0 255.255.255.248"
>>>>> (2) sql1:   Filter-Id = "P"
>>>>> (2) sql1:   Chargeable-User-Identity = "richard2"
>>>>>
>>>>> <group SQL statements>
>>>>>
>>>>> (2) sql1: Group "Hotspot": Merging reply items
>>>>> (2) sql1:   Acct-Interim-Interval = 600
>>>>>
>>>>> (2)       [sql1] = ok
>>>>> (2)     } # redundant = ok
>>>>> (2)     policy rewrite_routes {
>>>>> (2)       if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>> (2)       ERROR: Failed retrieving values required to evaluate 
>>>>> condition
>>>>> (2)     } # policy rewrite_routes = ok
>>>>>
>>>>> (2) Login OK: [richard2] (from client local port 1)
>>>>> (2) Sent Access-Accept Id 69 from 127.0.0.1:1645 to 127.0.0.1:48919
>>>>> length 0
>>>>> (2)   Framed-IP-Address = 1.2.3.1
>>>>> (2)   Framed-IP-Netmask = 255.255.255.248
>>>>> (2)   Cisco-AVPair = "ip:route=1.2.3.0 255.255.255.248"
>>>>> (2)   Filter-Id = "P"
>>>>> (2)   Chargeable-User-Identity = "richard2"
>>>>> (2)   Acct-Interim-Interval = 600
>>>>> (2) Finished request
>>>>>
>>>>>
>>>>> In my authorise section I have placed:
>>>>>
>>>>> redundant {
>>>>>                                        sql1
>>>>>                                        sql2
>>>>>                                        handled
>>>>>                        }
>>>>> #     -sql
>>>>>                        rewrite_routes
>>>>>
>>>>> (The other sections are there - this is just to show where what I hope
>>>>> is
>>>>> relevant. The code itself is based on the code provided below
>>>>>
>>>>> rewrite_routes  {
>>>>>
>>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>> switch "%{2}" {
>>>>>                        case "255.255.255.255" {
>>>>>                                        update reply {
>>>>>                                                Framed-Route = 
>>>>> "%{1}/32"
>>>>>                                }
>>>>>                        }
>>>>>                        case "255.255.255.254" {
>>>>>                                        update reply {
>>>>>                                                Framed-Route = 
>>>>> "%{1}/31"
>>>>>                                        }
>>>>>                        }
>>>>>
>>>>>
>>>>> and so on (it is in the policy.d folder)
>>>>>
>>>>> I am aware the key to this is the error
>>>>>
>>>>> (2)       ERROR: Failed retrieving values required to evaluate 
>>>>> condition
>>>>>
>>>>> What I am unclear about is why this is failing / and what I have done
>>>>> wrong
>>>>> here to cause this. If you can give me one more pointer here I'd
>>>>> appreciate
>>>>> it
>>>>>
>>>>> More than happy to send any of the extra config or log as needed
>>>>>
>>>>> Thanks in advance
>>>>>
>>>>> Richard
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thursday 09/11/2017 at 1:35 pm, Alan DeKok  wrote:
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On Nov 9, 2017, at 8:19 AM, Richard J Palmer <richard at merula.net>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This is where my skills are not great (regex) most other areas I can
>>>>>>> work
>>>>>>> with. Ultimately I am happy to pay someone to help write the little
>>>>>>> bit
>>>>>>> of
>>>>>>> code that does this. I do need to cope with Netmasks from  /32 to /24
>>>>>>> so a
>>>>>>> few switch cases.
>>>>>>>
>>>>>>>
>>>>>>>                                It shouldn't be difficult.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Alternatively if someone can provide a few pointers on that bit I can
>>>>>>> probably build from there.
>>>>>>>
>>>>>>>
>>>>>>>                                If you have:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>                                                                
>>>>>>>>> Cisco-AVPair = "ip:route=1.2.3.1
>>>>>>>>> 255.255.255.240"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                                Step 1, split it into pieces:
>>>>>>>>
>>>>>>>
>>>>>> if (&Cisco-AVPair =~ /ip:route=([^ ]+) ([^ ]+)/) {
>>>>>>
>>>>>>                                This matches the "ip:route" prefix.  It 
>>>>>> then matches
>>>>>> non-space
>>>>>> data,
>>>>>> then a space, and more non-space data.  As per the FR documentation,
>>>>>> the
>>>>>> first match goes into %{1}, and the second into %{2}.
>>>>>>
>>>>>>                                As there are only a limited number of 
>>>>>> net masks, you
>>>>>> can expand
>>>>>> the net
>>>>>> mask, and switch over it (inside of the "if" block from above)
>>>>>>
>>>>>> switch "%{2}" {
>>>>>> case "255.255.255.255" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/32"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> case "255.255.255.254" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/31"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> case "255.255.255.252" {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/30"
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> ... etc...
>>>>>>
>>>>>> # and the "catch all" case, just mash it to /28
>>>>>> case {
>>>>>> update reply {
>>>>>> Framed-Route = "%{1}/28"
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>>                                A little verbose, but it should work.
>>>>>>
>>>>>>                                Alan DeKok.
>>>>>>
>>>>>>
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>>> /users.html
>>>>>>
>>>>>>
>>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>> /users.html
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>>> /users.html
>>>>>
>>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>>> /users.html
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>>> /users.html
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list