Applying the same rule to multiple values in an attribute/config value

Alex Perez-Mendez Alex.Perez-Mendez at jisc.ac.uk
Fri Feb 15 07:55:10 CET 2019 

> Yep, this definitely worked.
>
>           [...]
>           rfc7542_recipe
>
>           #  Standard RADIUS NAI routing
>           if (!updated) {
>                   suffix {
>                           updated = 1
>                           noop = reject
>                   }
>           }
>           [...]
>
> The only thing we need to make sure about is making sure
> "rfc7542_recipe" does not change the "updated" status when it does not
> resolve a realm.
> Otherwise, we would need to check for the presence of the Realm
> attribute :(.

If fact, that's happening. When "rfc7542_recipe" does not find a Trust 
Router realm, but resolves a local one (Ie. this is the home IDP for the 
End User), it does include a Realm attribute but does not change the 
"update" status. Should it? It is actually updating the Request by 
adding a Realm to it....

On the proxy:
idp3_1          | (18) bangpath: Checking for prefix before "!"
idp3_1          | (18) bangpath: Looking up realm "test5.org" for 
User-Name = "test5.org!@test3.org"
idp3_1          | (18) bangpath: Found realm "apc.org%test5.org"
idp3_1          | (18) bangpath: Adding Realm = "apc.org%test5.org"
idp3_1          | (18) bangpath: Proxying request from user 
test5.org!@test3.org to realm apc.org%test5.org
idp3_1          | (18) bangpath: Preparing to proxy authentication 
request to realm "apc.org%test5.org"
idp3_1          | (18)           [bangpath] = updated
idp3_1          | (18)         } # if (!(&control:RFC7542-Realm-1 =~ 
/^(test3.org)$/) &&         (&control:RFC7542-Realm-2 =~ 
/^(test3.org)$/))  = updated
idp3_1          | (18)         if ((&control:RFC7542-Realm-1 =~ 
/^(test3.org)$/) &&         !(&control:RFC7542-Realm-2 =~ 
/^(test3.org)$/)) {
idp3_1          | (18)         if ((&control:RFC7542-Realm-1 =~ 
/^(test3.org)$/) &&         !(&control:RFC7542-Realm-2 =~ 
/^(test3.org)$/))  -> FALSE
idp3_1          | (18)         update control {
idp3_1          | (18)           RFC7542-Realm-1 !* ANY
idp3_1          | (18)           RFC7542-Realm-2 !* ANY
idp3_1          | (18)         } # update control = noop
idp3_1          | (18)       } # if (&request:User-Name =~ 
/([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/)  = updated
idp3_1          | (18)     } # policy rfc7542.authorize = updated
idp3_1          | (18)     if (!updated) {
idp3_1          | (18)     if (!updated)  -> FALSE
idp3_1          | (18) eap: Request is supposed to be proxied to Realm 
apc.org%test5.org. Not doing EAP.
idp3_1          | (18)     [eap] = noop
idp3_1          | (18)     [expiration] = noop
idp3_1          | (18)     [logintime] = noop
idp3_1          | (18)   } # authorize = updated

On the IDP:
idp5_1          | (11) bangpath: Checking for prefix before "!"
idp5_1          | (11) bangpath: Looking up realm "test5.org" for 
User-Name = "test5.org!@test3.org"
idp5_1          | (11) bangpath: Found realm "test5.org"
idp5_1          | (11) bangpath: Adding Stripped-User-Name = "@test3.org"
idp5_1          | (11) bangpath: Adding Realm = "test5.org"
idp5_1          | (11) bangpath: Authentication realm is LOCAL
idp5_1          | (11)           [bangpath] = ok
idp5_1          | (11)         } # if ((&control:RFC7542-Realm-1 =~ 
/^(test5.org)$/) &&         !(&control:RFC7542-Realm-2 =~ 
/^(test5.org)$/))  = ok
idp5_1          | (11)         update control {
idp5_1          | (11)           RFC7542-Realm-1 !* ANY
idp5_1          | (11)           RFC7542-Realm-2 !* ANY
idp5_1          | (11)         } # update control = noop
idp5_1          | (11)       } # if (&request:User-Name =~ 
/([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/)  = ok
idp5_1          | (11)     } # policy rfc7542.authorize = ok
idp5_1          | (11)     if (!updated) {
idp5_1          | (11)     if (!updated)  -> TRUE
idp5_1          | (11)     if (!updated)  {
idp5_1          | (11) suffix: Request already has destination realm 
set.  Ignoring
idp5_1          | (11)       [suffix] = noop
idp5_1          | (11)     } # if (!updated)  = reject
idp5_1          | (11)   } # authorize = reject

So I had to force the updated status when bangpath is executed. So, 
within rfc7542_recipe:

                 [...]
                 #  Format: not_local_realm!... at local_realm: Handle with 
bangpath
                 if (!(&control:RFC7542-Realm-1 =~ 
/^(${policy.rfc7542_realms})$/) && \
                         (&control:RFC7542-Realm-2 =~ 
/^(${policy.rfc7542_realms})$/)) {
                         bangpath
                         updated
                 }
                 [...]

Best,
>
> Thanks
>
>>     Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Users mailing list