3.2.0 - huntgroups and regex

Wed Jul 13 17:24:51 UTC 2022

Hello,

Happy Wednesday

Im attempting to move from FR v3.0.20 (rpm) to v3.2.0 (docker)

Noticing some interesting behavior, mostly with regex and huntgroups

This no longer works in huntgroups

router          NAS-Identifier =~
"[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+-(?i)rtr-[[:alnum:]]+"
switch          NAS-Identifier =~
"[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+-(?i)sw-[[:alnum:]]+"
switch-olt      NAS-Identifier =~
"[[:alnum:]]+-[[:alnum:]]+-[[:alnum:]]+-(?i)olt-[[:alnum:]]+"

So then i commented those out and attempted unlang in
(sites-enabled/default) which worked ok..

#if ((&Huntgroup-Name == 'switch') && (LDAP-Group == 'switch-manager')) {
if ((&NAS-Identifier =~
/[A-z,a-z,0-9]*-[A-z,a-z,0-9]*-[A-z,a-z,0-9]*-sw-[0-9]*/i) && (LDAP-Group
== 'switch-manager')) {

But that has issues with the users (authorize) file because I need radius
to respond with specific attributes depending on both groups
(ldap/huntgroup).

DEFAULT Huntgroup-Name == "router", Ldap-Group == "router-manager"
Service-Type += Administrative-User,
Cisco-AVPair = "shell:roles=network-admin"

DEFAULT Huntgroup-Name == "switch", Ldap-Group == "switch-manager"
Service-Type += Administrative-User,
Hp-Command-Exception = Deny-List,
Hp-Command-String = "menu;",
11XXUserRoles = "Admin"
 NOKIA-AAA = "3",
NOKIA-ATM = "3",
NOKIA-Alarm = "3",
...
...

If i just do

DEFAULT Ldap-Group == 'router-manager'
DEFAULT Ldap-Group ==  'switch-manager'

then if a user is part of both ldap groups, then it will always match the
first DEFAULT and not the second. So that user trying to access a switch
will get the router attributes as a response.

I've tried different huntgroups configs but they dont get resolved

switch NAS-Identifier =~ /([a-z0-9]+-){3}sw-[0-9]+/i
switch NAS-Identifier =~ /[A-Za-z0-9]+-[A-Za-z0-9]+-[A-Za-z0-9]+-SW-[0-9]+/
switch NAS-Identifier =~ /[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-sw-[0-9]+/i

The the 2nd and 3rd one are accepted by radius but it would not resolve in
site-enabled/default:

freeradius | Wed Jul 13 17:18:56 2022 : Debug: (0)
modsingle[authorize]: calling preprocess (rlm_preprocess)
freeradius | Wed Jul 13 17:18:56 2022 : Debug:
/[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-sw-[0-9]+/i
freeradius | Wed Jul 13 17:18:56 2022 : Debug: Parsed xlat tree:
freeradius | Wed Jul 13 17:18:56 2022 : Debug: literal -->
/[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-sw-[0-9]+/i
freeradius | Wed Jul 13 17:18:56 2022 : Debug: (0) preprocess: EXPAND
/[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-sw-[0-9]+/i
freeradius | Wed Jul 13 17:18:56 2022 : Debug: (0) preprocess:    -->
/[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-sw-[0-9]+/i
freeradius | Wed Jul 13 17:18:56 2022 : Debug: No old matches
freeradius | Wed Jul 13 17:18:56 2022 : Debug: Adding 33 matches
freeradius | Wed Jul 13 17:18:56 2022 : Debug: (0)
modsingle[authorize]: returned from preprocess (rlm_preprocess)
freeradius | Wed Jul 13 17:18:56 2022 : Debug: (0)     [preprocess] = ok
freeradius | Wed Jul 13 17:18:56 2022 : Debug: (0)
modsingle[authorize]: calling files (rlm_files)
...
...
freeradius | Wed Jul 13 17:18:57 2022 : Debug: (0)     if ((&Huntgroup-Name
== 'switch') && (LDAP-Group == 'switch-manager')) {
freeradius | Wed Jul 13 17:18:57 2022 : ERROR: (0)     Failed retrieving
values required to evaluate condition

What am i missing?

Any input is appreciated

Best,
Dave