Using variables in unlang conditions

Rahman Duran rahman.duran at erzurum.edu.tr
Thu Feb 24 10:50:09 UTC 2022


Hi,

I am trying to do some filtering/policing in the authorize section of the
default virtual server. I need to check source ip matches our Wireless
Controllers and SSID and username format etc then decide what to do with
the request. How can I user some kind of alias/variable for our IP address
block so I should not need to write and update IP addresses multiple places?

Here sample of what I try to achieve:

//////////////////////
etu_aruba_wlc_001 = 10.10.243.0/24
etu_aruba_wlc_002 = 10.10.244.0/24
etu_aruba_wlc_002 = 10.10.245.0/24

  ### 001: Test Wifi Service ###
  *if ((&Packet-Src-IP-Address < ${etu_aruba_wlc_001}) \*
      && (&NAS-Port-Type == "Wireless-802.11") \
      && (&Called-Station-SSID == "bidb-test") \
      && (&User-Name =~ /[0-9a-fA-F]{12}/)) {

      update request {
        &ETU-Radius-Service-Name := "BIDB_Test"
      }

      # Authentication source
      files_bidb_test_mac_list

      # Authentication modules
      pap

      # If this service match, do not continue to check rest of the section
      return
  }

  ### 002: Simulation Lab Service ###
 * if ((&Packet-Src-IP-Address < ${etu_aruba_wlc_001}) \*
      && (&NAS-Port-Type == "Wireless-802.11") \
      && (&Called-Station-SSID == "saglik_bilimleri-sim-lab") \
      && (&User-Name =~ /[0-9a-fA-F]{12}/)) {

      update request {
        &ETU-Radius-Service-Name := "Saglik_Bilimleri_Sim_Lab"
      }

      # Authentication source
      files_saglik_bilimleri_sim_lab_mac_list

      # Authentication modules
      pap

      # If this service match, do not continue to check rest of the section
      return
  }


  ### DEFAULT REJECT: If no service matched reject undefined request
directly here  ###
  update session-state {
    Module-Failure-Message := "No matching service found for this request!"
  }
  reject
/////////////////////

Well using variables (${...}) in conditions not working, Freeradius
daemon not starting with parse error:

/etc/freeradius/3.0/sites-enabled/default[40]:
((&Packet-Src-IP-Address < *${etu_aruba_wlc_001})
*      && (&NAS-Port-Type == "Wireless-80...
/etc/freeradius/3.0/sites-enabled/default[40]:                            ^
Failed to parse value for attribute


Any hint on this? If it is possible I want to define IP blocks and groups
of IP blocks if possible and use them in unlang conditions.

Regards,

Rahman Duran
Bilgi İşlem Daire Başkanlığı
Erzurum Teknik Üniversitesi


More information about the Freeradius-Users mailing list