freeradius-3.0: Using EAP-Type in post-auth processing

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

freeradius-3.0: Using EAP-Type in post-auth processing

Felix Tiede
Hello.

With freeradius 2.1 I did a

post-auth {
  if (EAP-Type == EAP-TLS) {
    update reply {
      ...
    }
    updated
  }
  elsif (EAP-Type == PEAP) {
    update reply {
      ...
    }
    updated
  }
}

With freeradius 3.0 this does not work any longer.
The code above errors out and at least radiusd -X does not start due to
"attribute for value" errors on the if-clauses. Using '&' in front of both
operands yields a short message "Ignoring as always false" during startup and
then nothing happens when PEAP or EAP-TLS requests come in, so clients are
authenticated but not properly authorized and access does not work, as it
relies on the actions performed in 'update reply'.

So, my question is: How do I achieve a similar functionality as above with
freeradius-3.0 unlang?

Thanks in advance for your help.

Regards,
Felix
--
If God had a beard, he'd be a UNIX programmer.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: freeradius-3.0: Using EAP-Type in post-auth processing

Alan DeKok-2
On May 10, 2017, at 10:32 AM, Felix Tiede <[hidden email]> wrote:
> The code above errors out and at least radiusd -X does not start due to
> "attribute for value" errors on the if-clauses

  What are "attribute for value" errors?

  It *is* possible to cut & paste the exact error message...

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: freeradius-3.0: Using EAP-Type in post-auth processing

Alan Buxey
%{EAP-Type} should be populated - and the value, &EAP-Type works - you
may need to check its numeric value.  are you using latest 3.0.x ?

alan

On 10 May 2017 at 15:57, Alan DeKok <[hidden email]> wrote:

> On May 10, 2017, at 10:32 AM, Felix Tiede <[hidden email]> wrote:
>> The code above errors out and at least radiusd -X does not start due to
>> "attribute for value" errors on the if-clauses
>
>   What are "attribute for value" errors?
>
>   It *is* possible to cut & paste the exact error message...
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: freeradius-3.0: Using EAP-Type in post-auth processing

Felix Tiede
In reply to this post by Alan DeKok-2
Am Mittwoch, 10. Mai 2017, 16:57:23 CEST schrieben Sie:
> On May 10, 2017, at 10:32 AM, Felix Tiede <[hidden email]> wrote:
> > The code above errors out and at least radiusd -X does not start due to
> > "attribute for value" errors on the if-clauses
>
>   What are "attribute for value" errors?
>
>   It *is* possible to cut & paste the exact error message...

I'm sorry, I had hoped to find an answer on the web and had meanwhile gone
back to freeradius-2.1.

Here is the exact error message:

/etc/raddb/policy.d/vlan-id[5]: (EAP-Type == EAP-TLS) {
/etc/raddb/policy.d/vlan-id[5]:              ^ Failed to parse value for
attribute

This is produced by freeradius-3.0 using the code I posted before.

Regards,
Felix
--
BOFH Excuse #129:

The ring needs another token

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: freeradius-3.0: Using EAP-Type in post-auth processing

Felix Tiede
In reply to this post by Alan Buxey
Am Mittwoch, 10. Mai 2017, 17:00:47 CEST schrieben Sie:
> %{EAP-Type} should be populated - and the value, &EAP-Type works - you
> may need to check its numeric value.  are you using latest 3.0.x ?

Using
  if (%{EAP-Type} == EAP-TLS)

yields the following lines and ends in no operation taken:

 # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/policy.d/
vlan-id:5
 # Skipping contents of 'elsif' as it is always 'false' -- /etc/raddb/
policy.d/vlan-id:13

From an actual request:
(11)       if (%{EAP-Type} == EAP-TLS) {
(11)       if (%{EAP-Type} == EAP-TLS)  -> FALSE
(11)       elsif (%{EAP-Type} == PEAP) {
(11)       elsif (%{EAP-Type} == PEAP)  -> FALSE

Using
  if (&EAP-Type == EAP-TLS)

yields then this, similar to 'if (EAP-Type == EAP-TLS)':
/etc/raddb/policy.d/vlan-id[5]: Parse error in condition
/etc/raddb/policy.d/vlan-id[5]: (&EAP-Type == EAP-TLS) {
/etc/raddb/policy.d/vlan-id[5]:               ^ Failed to parse value for
attribute

I'm using freeradius-3.0.13 for these tests.
I would like not to use numeric values - both EAP-Type and EAP-TLS/PEAP are
from freeradius' built-in dictionary.

Regards,
Felix

--
BOFH Excuse #129:

The ring needs another token

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: freeradius-3.0: Using EAP-Type in post-auth processing

Alan DeKok-2
In reply to this post by Felix Tiede
On May 10, 2017, at 2:18 PM, Felix Tiede <[hidden email]> wrote:
> Here is the exact error message:
>
> /etc/raddb/policy.d/vlan-id[5]: (EAP-Type == EAP-TLS) {
> /etc/raddb/policy.d/vlan-id[5]:              ^ Failed to parse value for
> attribute
>
> This is produced by freeradius-3.0 using the code I posted before.

  Just do:

        if (EAP-Type == TLS)  {
                ...

  and it will work.

  Alan DeKok.


       
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: freeradius-3.0: Using EAP-Type in post-auth processing

Felix Tiede
In reply to this post by Felix Tiede
Am Mittwoch, 10. Mai 2017, 19:58:30 CEST schrieben Sie:
> i'm going to guess that its because you've left the type unconstrained
> and thus its trying to do something silly like match
> a value/variable that doesnt exist
>
> if(&EAP-Type == "PEAP") {
> }
>

/etc/raddb/policy.d/vlan-id[5]: Parse error in condition
/etc/raddb/policy.d/vlan-id[5]: (&EAP-Type == "EAP-TLS") {
/etc/raddb/policy.d/vlan-id[5]:               ^ Failed to parse value for
attribute

Doesn't work either.
And I seem to remember I tried that as well.

>
>
> the 'skipping' is a sign that its optimising out the condition..
>

Regards,
Felix

--
An engineer is someone who does list processing in FORTRAN.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: freeradius-3.0: Using EAP-Type in post-auth processing

Felix Tiede
In reply to this post by Alan DeKok-2
Am Mittwoch, 10. Mai 2017, 20:28:50 CEST schrieb Alan DeKok:

> On May 10, 2017, at 2:18 PM, Felix Tiede <[hidden email]> wrote:
> > Here is the exact error message:
> >
> > /etc/raddb/policy.d/vlan-id[5]: (EAP-Type == EAP-TLS) {
> > /etc/raddb/policy.d/vlan-id[5]:              ^ Failed to parse value for
> > attribute
> >
> > This is produced by freeradius-3.0 using the code I posted before.
>
>   Just do:
>
> if (EAP-Type == TLS)  {
> ...
>
>   and it will work.

And so it does.
Thanks a lot, that was what I was missing.

Regards, Felix

--
"If that makes any sense to you, you have a big problem."
                -- C. Durance, Computer Science 234

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html