Using variables in unlang conditions

Jonathan Davis jonathan at prioritycolo.com
Thu Feb 24 12:49:40 UTC 2022 

See dictionaries 

> On Feb 24, 2022, at 5:50 AM, Rahman Duran <rahman.duran at erzurum.edu.tr> wrote:
> 
> Hi,
> 
> I am trying to do some filtering/policing in the authorize section of the
> default virtual server. I need to check source ip matches our Wireless
> Controllers and SSID and username format etc then decide what to do with
> the request. How can I user some kind of alias/variable for our IP address
> block so I should not need to write and update IP addresses multiple places?
> 
> Here sample of what I try to achieve:
> 
> //////////////////////
> etu_aruba_wlc_001 = 10.10.243.0/24
> etu_aruba_wlc_002 = 10.10.244.0/24
> etu_aruba_wlc_002 = 10.10.245.0/24
> 
>  ### 001: Test Wifi Service ###
>  *if ((&Packet-Src-IP-Address < ${etu_aruba_wlc_001}) \*
>      && (&NAS-Port-Type == "Wireless-802.11") \
>      && (&Called-Station-SSID == "bidb-test") \
>      && (&User-Name =~ /[0-9a-fA-F]{12}/)) {
> 
>      update request {
>        &ETU-Radius-Service-Name := "BIDB_Test"
>      }
> 
>      # Authentication source
>      files_bidb_test_mac_list
> 
>      # Authentication modules
>      pap
> 
>      # If this service match, do not continue to check rest of the section
>      return
>  }
> 
>  ### 002: Simulation Lab Service ###
> * if ((&Packet-Src-IP-Address < ${etu_aruba_wlc_001}) \*
>      && (&NAS-Port-Type == "Wireless-802.11") \
>      && (&Called-Station-SSID == "saglik_bilimleri-sim-lab") \
>      && (&User-Name =~ /[0-9a-fA-F]{12}/)) {
> 
>      update request {
>        &ETU-Radius-Service-Name := "Saglik_Bilimleri_Sim_Lab"
>      }
> 
>      # Authentication source
>      files_saglik_bilimleri_sim_lab_mac_list
> 
>      # Authentication modules
>      pap
> 
>      # If this service match, do not continue to check rest of the section
>      return
>  }
> 
> 
>  ### DEFAULT REJECT: If no service matched reject undefined request
> directly here  ###
>  update session-state {
>    Module-Failure-Message := "No matching service found for this request!"
>  }
>  reject
> /////////////////////
> 
> Well using variables (${...}) in conditions not working, Freeradius
> daemon not starting with parse error:
> 
> /etc/freeradius/3.0/sites-enabled/default[40]:
> ((&Packet-Src-IP-Address < *${etu_aruba_wlc_001})
> *      && (&NAS-Port-Type == "Wireless-80...
> /etc/freeradius/3.0/sites-enabled/default[40]:                            ^
> Failed to parse value for attribute
> 
> 
> Any hint on this? If it is possible I want to define IP blocks and groups
> of IP blocks if possible and use them in unlang conditions.
> 
> Regards,
> 
> Rahman Duran
> Bilgi İşlem Daire Başkanlığı
> Erzurum Teknik Üniversitesi
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list