Match on undefined attribute.

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Match on undefined attribute.

Matthew Schumacher
List,

I can't seem to write a simple condition to match on a missing
attribute.  I just want to do this:

                 if( ! &reply:Filter-Id ) {
                         update reply {
                                 Vendor-Address-List := foo
                         }
                 }


However, that always returns true, even if Filter-Id isn't returned in
the Access-Accept.

If I try:
                 if( &reply:Filter-Id == "" ) {
                         update reply {
                                 Vendor-Address-List := foo
                         }
                 }

Then when Filter-Id isn't set, I get:

ERROR: Failed retrieving values required to evaluate condition

And no match.

What is the correct way to match on missing reply attributes?

Thanks,
schu


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Match on undefined attribute.

Alan DeKok-2


> On Jan 9, 2020, at 4:05 PM, Matthew Schumacher <[hidden email]> wrote:
>
> I can't seem to write a simple condition to match on a missing attribute.  I just want to do this:
>
>                 if( ! &reply:Filter-Id ) {
>                         update reply {
>                                 Vendor-Address-List := foo
>                         }
>                 }
>
>
> However, that always returns true, even if Filter-Id isn't returned in the Access-Accept.

  What does the debug output show?

  That should work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Match on undefined attribute.

Matthew Schumacher
On 1/9/20 1:08 PM, Alan DeKok wrote:

>> On Jan 9, 2020, at 4:05 PM, Matthew Schumacher <[hidden email]> wrote:
>>
>> I can't seem to write a simple condition to match on a missing attribute.  I just want to do this:
>>
>>                  if( ! &reply:Filter-Id ) {
>>                          update reply {
>>                                  Vendor-Address-List := foo
>>                          }
>>                  }
>>
>>
>> However, that always returns true, even if Filter-Id isn't returned in the Access-Accept.
>    What does the debug output show?
>
>    That should work.
>
>    Alan DeKok.
>
>

(2) # Executing section post-auth from file
/etc/freeradius/raddb/sites-enabled/server
(2)   post-auth {
(2)     if ( ! &reply:Filter-Id ) {
(2)     if ( ! &reply:Filter-Id )  -> TRUE
(2)     if ( ! &reply:Filter-Id )  {
(2)       update reply {
(2)         Vendor-Address-List := foo
(2)       } # update reply = noop
(2)     } # if ( ! &reply:Filter-Id )  = noop
(2)   } # post-auth = noop

In the radius accept I see:

Received Access-Accept Id 206 from 127.0.0.1:1812 to 127.0.0.1:49494
length 71
     .....
     Filter-Id = "117.in"
     Vendor-Address-List = "foo"
     ....

Anyway,

I found the problem, I am setting Filter-Id in ldap using:

update { reply:Framed-Filter-Id = radiusfilter }

And somewhere long the way radius, translates Framed-Filter-Id to
Filter-Id.  Once I changed it to:

update { reply:Filter-Id = radiusfilter }

It works correctly.

I'm not sure why I originally had Framed-Filter-Id, or why radius was
translating as I don't see anything that does that in the config.

Thanks for the help,
schu





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Match on undefined attribute.

Bjørn Mork
Matthew Schumacher <[hidden email]> writes:

> I found the problem, I am setting Filter-Id in ldap using:
>
> update { reply:Framed-Filter-Id = radiusfilter }
>
> And somewhere long the way radius, translates Framed-Filter-Id to
> Filter-Id.  Once I changed it to:
>
> update { reply:Filter-Id = radiusfilter }
>
> It works correctly.
>
> I'm not sure why I originally had Framed-Filter-Id, or why radius was
> translating as I don't see anything that does that in the config.

Framed-Filter-Id is just an old compatibility name for Filter-Id.  It's
the same attribute, so there is no translation.  Just two names
describing the same number.

See dictionary.compat


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html