Applying the same rule to multiple values in an attribute/config value

Alex Perez-Mendez Alex.Perez-Mendez at jisc.ac.uk
Fri Feb 15 17:19:53 CET 2019 

Hi Alan,

thank you for your help. We finally made it work nicely and we are happy 
to share it upstream.
It's shipped as policy.d/rfc7542 and a "bangpath" realm, and enabled by 
default for the ABFAB-specific server.

https://github.com/FreeRADIUS/freeradius-server/pull/2492

Do you think it would make it for 3.0.18?

Best regards,
Alejandro
>> Yep, this definitely worked.
>>
>>            [...]
>>            rfc7542_recipe
>>
>>            #  Standard RADIUS NAI routing
>>            if (!updated) {
>>                    suffix {
>>                            updated = 1
>>                            noop = reject
>>                    }
>>            }
>>            [...]
>>
>> The only thing we need to make sure about is making sure
>> "rfc7542_recipe" does not change the "updated" status when it does not
>> resolve a realm.
>> Otherwise, we would need to check for the presence of the Realm
>> attribute :(.
> If fact, that's happening. When "rfc7542_recipe" does not find a Trust
> Router realm, but resolves a local one (Ie. this is the home IDP for the
> End User), it does include a Realm attribute but does not change the
> "update" status. Should it? It is actually updating the Request by
> adding a Realm to it....
>
> On the proxy:
> idp3_1          | (18) bangpath: Checking for prefix before "!"
> idp3_1          | (18) bangpath: Looking up realm "test5.org" for
> User-Name = "test5.org!@test3.org"
> idp3_1          | (18) bangpath: Found realm "apc.org%test5.org"
> idp3_1          | (18) bangpath: Adding Realm = "apc.org%test5.org"
> idp3_1          | (18) bangpath: Proxying request from user
> test5.org!@test3.org to realm apc.org%test5.org
> idp3_1          | (18) bangpath: Preparing to proxy authentication
> request to realm "apc.org%test5.org"
> idp3_1          | (18)           [bangpath] = updated
> idp3_1          | (18)         } # if (!(&control:RFC7542-Realm-1 =~
> /^(test3.org)$/) &&         (&control:RFC7542-Realm-2 =~
> /^(test3.org)$/))  = updated
> idp3_1          | (18)         if ((&control:RFC7542-Realm-1 =~
> /^(test3.org)$/) &&         !(&control:RFC7542-Realm-2 =~
> /^(test3.org)$/)) {
> idp3_1          | (18)         if ((&control:RFC7542-Realm-1 =~
> /^(test3.org)$/) &&         !(&control:RFC7542-Realm-2 =~
> /^(test3.org)$/))  -> FALSE
> idp3_1          | (18)         update control {
> idp3_1          | (18)           RFC7542-Realm-1 !* ANY
> idp3_1          | (18)           RFC7542-Realm-2 !* ANY
> idp3_1          | (18)         } # update control = noop
> idp3_1          | (18)       } # if (&request:User-Name =~
> /([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/)  = updated
> idp3_1          | (18)     } # policy rfc7542.authorize = updated
> idp3_1          | (18)     if (!updated) {
> idp3_1          | (18)     if (!updated)  -> FALSE
> idp3_1          | (18) eap: Request is supposed to be proxied to Realm
> apc.org%test5.org. Not doing EAP.
> idp3_1          | (18)     [eap] = noop
> idp3_1          | (18)     [expiration] = noop
> idp3_1          | (18)     [logintime] = noop
> idp3_1          | (18)   } # authorize = updated
>
> On the IDP:
> idp5_1          | (11) bangpath: Checking for prefix before "!"
> idp5_1          | (11) bangpath: Looking up realm "test5.org" for
> User-Name = "test5.org!@test3.org"
> idp5_1          | (11) bangpath: Found realm "test5.org"
> idp5_1          | (11) bangpath: Adding Stripped-User-Name = "@test3.org"
> idp5_1          | (11) bangpath: Adding Realm = "test5.org"
> idp5_1          | (11) bangpath: Authentication realm is LOCAL
> idp5_1          | (11)           [bangpath] = ok
> idp5_1          | (11)         } # if ((&control:RFC7542-Realm-1 =~
> /^(test5.org)$/) &&         !(&control:RFC7542-Realm-2 =~
> /^(test5.org)$/))  = ok
> idp5_1          | (11)         update control {
> idp5_1          | (11)           RFC7542-Realm-1 !* ANY
> idp5_1          | (11)           RFC7542-Realm-2 !* ANY
> idp5_1          | (11)         } # update control = noop
> idp5_1          | (11)       } # if (&request:User-Name =~
> /([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/)  = ok
> idp5_1          | (11)     } # policy rfc7542.authorize = ok
> idp5_1          | (11)     if (!updated) {
> idp5_1          | (11)     if (!updated)  -> TRUE
> idp5_1          | (11)     if (!updated)  {
> idp5_1          | (11) suffix: Request already has destination realm
> set.  Ignoring
> idp5_1          | (11)       [suffix] = noop
> idp5_1          | (11)     } # if (!updated)  = reject
> idp5_1          | (11)   } # authorize = reject
>
> So I had to force the updated status when bangpath is executed. So,
> within rfc7542_recipe:
>
>                   [...]
>                   #  Format: not_local_realm!... at local_realm: Handle with
> bangpath
>                   if (!(&control:RFC7542-Realm-1 =~
> /^(${policy.rfc7542_realms})$/) && \
>                           (&control:RFC7542-Realm-2 =~
> /^(${policy.rfc7542_realms})$/)) {
>                           bangpath
>                           updated
>                   }
>                   [...]
>
> Best,
>> Thanks
>>
>>>      Alan DeKok.
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Users mailing list