Help testing if a variable contains an IPv4
David Herselman
dhe at syrex.co
Sat Jun 12 14:55:48 CEST 2021
Hi,
I'm trying to allow non MFA logins from configuration revisioning systems where the target device doesn't support SSH key based authentication. I started constructing an unlang check using '<ipv4prefix>' and hit some quirks.
Most of our devices include the calling station's source IP in their request, whilst a few send the reverse DNS lookup strings. How do I test if a variable matches the structure of an IPv4 IP?
My problem appears to be that '<ipv4prefix>&String < 41.0.0.0/29' returns true, for example:
(0) Calling-Station-Id = "oxidized.syrex.co.za"
(0) if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29) {
(0) EXPAND &Client-Shortname
(0) --> core_routers
(0) if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29) -> FALSE
(1) Calling-Station-Id = "196.196.196.196"
(1) if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29) {
(1) EXPAND &Client-Shortname
(1) --> core_routers
(1) if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29) -> TRUE
I had hoped to have been able to do the following, but the behaviour above makes me believe I have to test them separately:
if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && (&Calling-Station-Id =="oxidized.syrex.co.za" || <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29))
Regards
David Herselman
More information about the Freeradius-Users
mailing list