VLan affect based on ldap attribute freeradius v3

jehan procaccia INT jehan.procaccia at int-evry.fr
Fri Aug 31 00:49:41 CEST 2018 

Le 30/08/2018 à 23:12, Matthew Newton a écrit :
> On Thu, 2018-08-30 at 22:55 +0200, jehan procaccia int wrote:
>>   I did that , but still fails with now the error :
>>
>> (30)       if (( &reply:User-Category == "employee") || (&reply:User-
>> Category == "faculty") || (&reply:User-Category == "staff" ) ||
>> (&reply:User-Category == "researcher") || (&reply:User-Category ==
>> "member")) {
>> (30)       ERROR: Failed retrieving values required to evaluate
>> condition
>> (30)       elsif ( (&reply:User-Category == "student" ) ||
>> (&reply:User-Category == "affiliate") ) {
>> (30)       ERROR: Failed retrieving values required to evaluate
>> condition
>> (30)       else {
>> (30)         update reply {
>> (30)           Tunnel-Private-Group-Id := 902
> So put
>
>    debug_reply
>
> above that line and see if the attribute has been set there.
ok did that, radiusd -X tells now :


(30)   Login OK: [barnabot/<via Auth-Type = eap>] (from client prod port 
0 via TLS tunnel)
(30) } # server inner-tunnel
(30) Virtual server sending reply
(30)   Reply-Message := "student"
(30)   User-Category += "student"


(31) # Executing section post-auth from file 
/etc/raddb/sites-enabled/default
(31)   post-auth {
(31)     update {
(31)       No attributes updated
(31)     } # update = noop
(31) reply_log: EXPAND 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(31) reply_log:    --> 
/var/log/radius/radacct/10.91.10.10/reply-detail-20180831
(31) reply_log: 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d 
expands to /var/log/radius/radacct/10.91.10.10/reply-detail-20180831
(31) reply_log: EXPAND %t
(31) reply_log:    --> Fri Aug 31 00:17:54 2018
(31)     [reply_log] = ok
(31)     [exec] = noop
(31)     policy remove_reply_message_if_eap {
(31)       if (&reply:EAP-Message && &reply:Reply-Message) {
(31)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(31)       else {
(31)         [noop] = noop
(31)       } # else = noop
(31)     } # policy remove_reply_message_if_eap = noop

(31)       policy debug_reply {
(31)         if ("%{debug_attr:reply:}" == '') {
(31)         Attributes matching "reply:"
(31)           &reply:MS-MPPE-Recv-Key = 
0x6e1bcf8ea79f6d06a6dce39f4aadf79dfbd946f7ca2438a30d68f176073aa595
(31)           &reply:MS-MPPE-Send-Key = 
0xf482d9f73fb33affff0a965215b2135921b3800f4aa1424e26dae3359fdd6085
(31)           &reply:EAP-MSK = 
0x6e1bcf8ea79f6d06a6dce39f4aadf79dfbd946f7ca2438a30d68f176073aa595f482d9f73fb33affff0a965215b2135921b3800f4aa1424e26dae3359fdd6085
(31)           &reply:EAP-EMSK = 
0x7bd50d3a425c00863320ed8dcaf30139a70d382d510676d6daa81356f3f7d35e3dd4440c3c69f0ffc565c7669084e73975bef6b48c070b04aa49078ef0896939
(31)           &reply:EAP-Session-Id = 
0x192ca3956f79a7c3273beefed12454cddbc3402f348227b76d8faf4afcaac233e1d2a4d4993d3e3b6be9a674182fd4da47dc086e505b65ffe9233cb93974cd930e
(31)           &reply:EAP-Message = 0x030c0004
(31)           &reply:Message-Authenticator = 
0x00000000000000000000000000000000
(31)           &reply:Stripped-User-Name = barnabot
(31)           EXPAND %{debug_attr:reply:}
(31)              -->
(31)           if ("%{debug_attr:reply:}" == '')  -> TRUE
(31)           if ("%{debug_attr:reply:}" == '')  {
(31)             [noop] = noop
(31)           } # if ("%{debug_attr:reply:}" == '')  = noop
(31)         } # policy debug_reply = noop
(31)         if (( &reply:User-Category == "employee") || 
(&reply:User-Category == "faculty") || (&reply:User-Category == "staff" 
) || (&reply:User-Category == "researcher") || (&reply:User-Category == 
"member")) {
(31)         ERROR: Failed retrieving values required to evaluate condition
(31)         elsif ( (&reply:User-Category == "student" ) || 
(&reply:User-Category == "affiliate") ) {
(31)         ERROR: Failed retrieving values required to evaluate condition
(31)         else {
(31)           update reply {
(31)             Tunnel-Private-Group-Id := 902

I don't see new information regarding my User-Category attribute , 
perhaps because it is not set at this stage !?


>> I use eduroam with peap mschapv2 (inner-tunnel) , maybe different
>> radius packets are involved, it would be in my vlanaffec script that
>> I would change reply with session-state ?
> Change all reply:User-Category to session-state:User-Category.
>
> But find out whether it's set or not first.
>
That's my next step , it's getting late here in France,  I'll try that 
on site tomorrow .

thanks .

More information about the Freeradius-Users mailing list