User file _matching

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

User file _matching

Hassan, Hazem (Nokia - EG/Cairo)
Hi ,

I want to make a different matching-criteria :

Working Scenario :

98:86:5d:90:c2:82 Cleartext-Password := "pass"
        Alc-Subsc-Prof-Str = "three_services_1G",
        Alc-SLA-Prof-Str   = "Internet_1G",
       Alc-Subsc-ID-Str = "sub-3",
        Framed-IP-Address  = 100.0.0.6,
        Framed-IP-Netmask  = 255.255.255.0,

2 2021/03/11 11:16:29.479 UTC MINOR: DEBUG #2001 management RADIUS
"RADIUS: Transmit
  Access-Request(1) 80.194.79.79:1812 id 251 len 289 vrid 4095 pol bng-aaa-pol
    USER NAME [1] 17 98:86:5d:90:c2:82


3 2021/03/11 11:16:29.480 UTC MINOR: DEBUG #2001 management RADIUS
"RADIUS: Receive
  Access-Accept(2) id 251 len 193 from 80.194.79.79:1812 vrid 4095 pol bng-aaa-pol
    VSA [26] 19 Nokia(6527)
      SUBSC PROF STR [12] 17 three_services_1G
    VSA [26] 13 Nokia(6527)
      SLA PROF STR [13] 11 Internet_1G
    VSA [26] 7 Nokia(6527)
      SUBSC ID STR [11] 5 sub-3
    FRAMED IP ADDRESS [8] 4 100.0.0.6
    FRAMED IP NETMASK [9] 4 255.255.255.0
    FRAMED ROUTE [22] 22 192.168.6.0/24 0.0.0.0
    VSA [26] 6 Nokia(6527)


Non-Working Scenario : trying to send the access-request with different format "option-82 circuit-id"



2 2021/03/11 13:18:39.936 UTC MINOR: DEBUG #2001 management RADIUS
"RADIUS: Transmit
  Access-Request(1) 80.194.79.79:1812 id 245 len 302 vrid 4095 pol bng-aaa-pol
    USER NAME [1] 30 OLT51 eth 1/1/03/01/8/14/1/100
    PASSWORD [2] 16 W3EtVOTVYeWJ7NruhPh2ek
    NAS IP ADDRESS [4] 4 10.113.139.50
    VSA [26] 52 DSL(3561)
      AGENT CIRCUIT ID [1] 30 OLT51 eth 1/1/03/01/8/14/1/100
      AGENT REMOTE ID [2] 18 ONU 8 Testing DHCP


3 2021/03/11 13:18:40.938 UTC MINOR: DEBUG #2001 management RADIUS
"RADIUS: Receive
  Access-Reject(3) id 245 len 20 from 80.194.79.79:1812 vrid 4095 pol bng-aaa-pol


Output from debug mode:

(2) Received Access-Request Id 161 from 10.113.139.50:64509 to 80.194.79.79:1812 length 302
(2)   User-Name = "OLT51 eth 1/1/03/01/8/14/1/100"
(2)   User-Password = "Nokia"
(2)   NAS-IP-Address = 10.113.139.50
(2)   ADSL-Agent-Circuit-Id = 0x4f4c5435312065746820312f312f30332f30312f382f31342f312f313030
(2)   ADSL-Agent-Remote-Id = 0x4f4e5520382054657374696e672044484350
(2)   NAS-Port-Type = Ethernet
(2)   NAS-Port-Id = "lag-2:11"
(2)   NAS-Identifier = "BNG-SR1"
(2)   Alc-Client-Hardware-Addr = "98:86:5d:90:c2:82"
(2)   Alc-ToServer-Dhcp-Options = 0x3501013d070198865d90c282370b0103060c0f1c2b364278795234011e4f4c5435312065746820312f312f30332f30312f382f31342f312f31303002124f4e5520382054657374696e672044484350ff
(2)   Acct-Session-Id = "785EB0000360B7604A1C96"
(2)   Alc-SAP-Session-Index = 1
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> TRUE
(2)         if (&User-Name =~ / /)  {
(2)           update request {
(2)             &Module-Failure-Message += 'Rejected: User-Name contains whitespace'
(2)           } # update request = noop
(2)           [reject] = reject
(2)         } # if (&User-Name =~ / /)  = reject
(2)       } # if (&User-Name)  = reject
(2)     } # policy filter_username = reject
(2)   } # authorize = reject
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> OLT51 eth 1/1/03/01/8/14/1/100
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated
(2)     [eap] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)   } # Post-Auth-Type REJECT = updated
(2) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sent Access-Reject Id 161 from 80.194.79.79:1812 to 10.113.139.50:64509 length 20
Waking up in 1.9 seconds.


Thanks,
Hazem
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User file _matching

Matthew Newton-3


On 11/03/2021 13:44, Hassan, Hazem (Nokia - EG/Cairo) wrote:

> (2)     policy filter_username {
> (2)       if (&User-Name) {
> (2)       if (&User-Name)  -> TRUE
> (2)       if (&User-Name)  {
> (2)         if (&User-Name =~ / /) {
> (2)         if (&User-Name =~ / /)  -> TRUE
> (2)         if (&User-Name =~ / /)  {
> (2)           update request {
> (2)             &Module-Failure-Message += 'Rejected: User-Name contains whitespace'
> (2)           } # update request = noop

It does help to actually read the debug output, which is telling you
exactly what the problem is.

If you don't want the filter_username policy, remove it from the
configuration.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: User file _matching

Hassan, Hazem (Nokia - EG/Cairo)
Thanks Matthew . but I don’t know how can I remove it.


-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+hazem.hassan=[hidden email]> On Behalf Of Matthew Newton
Sent: Thursday, March 11, 2021 3:50 PM
To: [hidden email]
Subject: Re: User file _matching



On 11/03/2021 13:44, Hassan, Hazem (Nokia - EG/Cairo) wrote:

> (2)     policy filter_username {
> (2)       if (&User-Name) {
> (2)       if (&User-Name)  -> TRUE
> (2)       if (&User-Name)  {
> (2)         if (&User-Name =~ / /) {
> (2)         if (&User-Name =~ / /)  -> TRUE
> (2)         if (&User-Name =~ / /)  {
> (2)           update request {
> (2)             &Module-Failure-Message += 'Rejected: User-Name contains whitespace'
> (2)           } # update request = noop

It does help to actually read the debug output, which is telling you exactly what the problem is.

If you don't want the filter_username policy, remove it from the configuration.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User file _matching

Alan DeKok-2


> On Mar 11, 2021, at 9:05 AM, Hassan, Hazem (Nokia - EG/Cairo) <[hidden email]> wrote:
>
> Thanks Matthew . but I don’t know how can I remove it.

  Edit the configuration files?

  Look for "policy_filter_username".

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html