Help Unlang Freeradius 2.x to 3.x

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Help Unlang Freeradius 2.x to 3.x

Olivier CALVANO
Hello,

I get stuck a little to find the solution in unlang; =) I admit that I
don't master at all.

I have this condition which works under Freeradius 2.x:

if ((Tunnel-Server-Endpoint: 0 [0]! = '192.168.1.1') && (User-Name = ~
/\\.local/) && (User-Name! ~ /network\\.local/) && ("%
{Packet-Src-IP-Address}" == "172.16.100.100")) {

I can't find the equivalent in Freeradius 3.0.17

I tried in particular

if ((& Tunnel-Server-Endpoint! = '192.168.1.1') && (User-Name = ~
/\\.local/) && (User-Name! ~ /network\\.local/) && ("% {
Packet-Src-IP-Address} "==" 172.16.100.100 ")) {

but that blocks, it is always at the level of the first condition that
there is the problem.

What I would like is:

Yes
   Tunnel-Server-Endpoint * (0 1 or other) is not equal to 192.168.1.1
Or
  Tunnel-Server-Endpoint * (0 1 or other) is not equal to 192.168.1.2

so he looks at the other conditions including User-Name and Packet-Src


Otherwise, would I have to do several if ? sample:

if ("%{Packet-Src-IP-Address}" == "172.16.100.100") {
     if ((User-Name =~ /\\.local/) && (User-Name !~ /network\\.local/)) {
          if (&Tunnel-Server-Endpoint* != '192.168.1.1') {
                          xxxx
           }
      }
}


thank you for your help
Olivier
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help Unlang Freeradius 2.x to 3.x

Alan DeKok-2
On Jun 27, 2020, at 12:33 AM, Olivier CALVANO <[hidden email]> wrote:
> I have this condition which works under Freeradius 2.x:
>
> if ((Tunnel-Server-Endpoint: 0 [0]! = '192.168.1.1') && (User-Name = ~
> /\\.local/) && (User-Name! ~ /network\\.local/) && ("%
> {Packet-Src-IP-Address}" == "172.16.100.100")) {

  You've re-typed it, instead of copying it exactly from the configuration files.  Please just use cut & paste.  It's more correct.

> I can't find the equivalent in Freeradius 3.0.17

  99% of the time you can just use the same "unlang" statements.

> I tried in particular
>
> if ((& Tunnel-Server-Endpoint! = '192.168.1.1') && (User-Name = ~
> /\\.local/) && (User-Name! ~ /network\\.local/) && ("% {
> Packet-Src-IP-Address} "==" 172.16.100.100 ")) {
>
> but that blocks, it is always at the level of the first condition that
> there is the problem.

  Which is.... what?

  There *is* debug output which can help.

  Read this and follow the instructions:  http://wiki.freeradius.org/list-help

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help Unlang Freeradius 2.x to 3.x

Olivier CALVANO
Thanks alan,

I will reformulate my question more clearly and put debug.

It's just this condition that seems to have changed, before I wrote it like
this in version 2; x and it worked:

 if ((Tunnel-Server-Endpoint:0[0] != '192.168.1.1') && (User-Name =~
/\\.local/) && (User-Name !~ /network\\.local/) &&
("%{Packet-Src-IP-Address}" == "172.16.100.100")) {


in version 3, I write it like this:

if ((&Tunnel-Server-Endpoint != 192.168.1.1') && (User-Name =~ /\\.local/)
&& (User-Name !~ /network\\.local/) && ("%{Packet-Src-IP-Address}" ==
"172.16.100.100")) {


and he gives me a mistake
(0)     policy Rewrite_FORWARDER {
(0)       if ((&Tunnel-Server-Endpoint != '192.168.1.1') && (User-Name =~
/\\.local/) && (User-Name !~ /network\\.local/) &&
("%{Packet-Src-IP-Address}" == "172.16.100.100")) {
(0)       ERROR: Failed retrieving values required to evaluate condition
(0)       elsif (&Tunnel-Server-Endpoint != '192.168.1.1' && User-Name =~
/\\.local/ && User-Name !~ /network\\.local/ && "%{Packet-Src-IP-Address}"
== "172.16.100.101") {
(0)       ERROR: Failed retrieving values required to evaluate condition
(0)       if ((User-Name =~ /\\.local/) && ("%{Packet-Src-IP-Address}" ==
"172.16.100.100")) {
(0)       EXPAND %{Packet-Src-IP-Address}
(0)          --> 172.16.100.99
(0)       if ((User-Name =~ /\\.local/) && ("%{Packet-Src-IP-Address}" ==
"172.16.100.100"))  -> FALSE
(0)       elsif ((User-Name =~ /\\.local/) && ("%{Packet-Src-IP-Address}"
== "172.16.100.101")) {
(0)       EXPAND %{Packet-Src-IP-Address}
(0)          --> 172.16.100.99
(0)       elsif ((User-Name =~ /\\.local/) && ("%{Packet-Src-IP-Address}"
== "172.16.100.101"))  -> FALSE
(0)     } # policy Rewrite_FORWARDER = noop


so I can't find the right syntax for it to look at the
Tunnel-Server-Endpoint attribute

or maybe it would mark this error because the Tunnel-Server-Endpoint
attribute is not present in the request?

regards


Le sam. 27 juin 2020 à 14:15, Alan DeKok <[hidden email]> a
écrit :

> On Jun 27, 2020, at 12:33 AM, Olivier CALVANO <[hidden email]> wrote:
> > I have this condition which works under Freeradius 2.x:
> >
> > if ((Tunnel-Server-Endpoint: 0 [0]! = '192.168.1.1') && (User-Name = ~
> > /\\.local/) && (User-Name! ~ /network\\.local/) && ("%
> > {Packet-Src-IP-Address}" == "172.16.100.100")) {
>
>   You've re-typed it, instead of copying it exactly from the configuration
> files.  Please just use cut & paste.  It's more correct.
>
> > I can't find the equivalent in Freeradius 3.0.17
>
>   99% of the time you can just use the same "unlang" statements.
>
> > I tried in particular
> >
> > if ((& Tunnel-Server-Endpoint! = '192.168.1.1') && (User-Name = ~
> > /\\.local/) && (User-Name! ~ /network\\.local/) && ("% {
> > Packet-Src-IP-Address} "==" 172.16.100.100 ")) {
> >
> > but that blocks, it is always at the level of the first condition that
> > there is the problem.
>
>   Which is.... what?
>
>   There *is* debug output which can help.
>
>   Read this and follow the instructions:
> http://wiki.freeradius.org/list-help
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help Unlang Freeradius 2.x to 3.x

Alan DeKok-2
On Jul 2, 2020, at 4:09 AM, Olivier CALVANO <[hidden email]> wrote:
> I will reformulate my question more clearly and put debug.

  ALL of the debug.

  http://wiki.freeradius.org/list-help

> It's just this condition that seems to have changed, before I wrote it like
> this in version 2; x and it worked:

  There is no need to say the same thing

> in version 3, I write it like this:
>
> if ((&Tunnel-Server-Endpoint != 192.168.1.1') && (User-Name =~ /\\.local/)
> && (User-Name !~ /network\\.local/) && ("%{Packet-Src-IP-Address}" ==
> "172.16.100.100")) {

  Don't use two \\ in the regular expression.  You only need one.

  I also suggested you change how you use Packet-Src-IP-Address.  Why are you not doing that?

> and he gives me a mistake
> (0)     policy Rewrite_FORWARDER {
> (0)       if ((&Tunnel-Server-Endpoint != '192.168.1.1') && (User-Name =~
> /\\.local/) && (User-Name !~ /network\\.local/) &&
> ("%{Packet-Src-IP-Address}" == "172.16.100.100")) {
> (0)       ERROR: Failed retrieving values required to evaluate condition

  Which means that one of the attributes in the condition doesn't exist.

  i.e. it's not in the Access-Request packet.

  What's in the Access-Request packet?  We don't know.  Because you didn't post that.  Even though ALL of the the documentation says to post it.\

> so I can't find the right syntax for it to look at the
> Tunnel-Server-Endpoint attribute

  No.  That isn't the problem.

> or maybe it would mark this error because the Tunnel-Server-Endpoint
> attribute is not present in the request?

  If you READ the debug output as suggested in ALL of the documentation, you could answer this question for yourself.

  Right now, you're not making progress.  You're just posting the same thing over and over.  This is not helpful.

  Follow the documentation.  Follow instructions.  It *will* fix the problem.  Or, you can post the same message every day for the next year, and make zero progress.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html