From: Arran Cudbard-Bell Date: Thu, 30 Jun 2011 12:49:51 +0000 (+0200) Subject: Overload the acct_unique module with a better policy - Should fix some problems with... X-Git-Tag: release_3_0_0_beta0~743 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dad18704fbd044e60735b726b7742a24376e7403;p=thirdparty%2Ffreeradius-server.git Overload the acct_unique module with a better policy - Should fix some problems with non unique Acct-Session-IDs Fix formatting for other policies, and add additional internal attributes Rename some existing policies to make a clear distinction between the special .
policies, and ones which had previously used this convention. --- diff --git a/raddb/policy.conf b/raddb/policy.conf index 73b195188a2..18dc683b633 100644 --- a/raddb/policy.conf +++ b/raddb/policy.conf @@ -15,10 +15,53 @@ # and actions to take. # # Policies are something like subroutines in a normal language, but -# they cannot be called recursively. They MUST be defined in order. +# they cannot be called recursively. They MUST be defined in order. # If policy A calls policy B, then B MUST be defined before A. # policy { + # + # Overload the default acct_unique module, it's not smart enough + # + acct_unique { + # + # If we have a class attribute, it'll have a local value (defined by populate_class), + # this ensures uniqueness and suitability. + # We could just use the Class attribute as Acct-Unique-Session-Id, but this may cause + # problems with NAS that carry Class values across between multiple linked sessions. + # So we rehash class with Acct-Session-ID to provide a truely unique session identifier. + # + # Using a Class/Session-ID combination is more robust than using elements in the + # Accounting-Request, which may be subject to change, such as NAS-IP-Address + # or Client-IP-Address and NAS-Port-ID/NAS-Port. + # So should ensure that session data is not affected if NAS IP addresses change, or + # the client roams to a different 'port' whilst maintaining its initial authentication + # session (Common in a wireless environment). + # + if(Class) { + update request { + Acct-Unique-Session-Id := "%{md5:%{Class}%{Acct-Session-ID}}" + } + } + # + # Not All devices respect RFC 2865 when dealing with the class attribute, + # so be prepared to use the older style of hashing scheme if a class attribute is not included + # + else { + update request { + Acct-Unique-Session-Id := "%{md5:%{User-Name}%{Acct-Session-ID}%{NAS-IP-Address}%{NAS-Port-ID:}%{NAS-Port}}" + } + } + } + + # + # Insert a (hopefully unique) value into class + # + insert_acct_class { + update reply { + Class = "%{md5:%t%{request:NAS-Identifier}%{NAS-Port-ID}%{NAS-Port}%{Calling-Station-ID}%{reply:User-Name}}" + } + } + # # Forbid all EAP types. # @@ -53,8 +96,8 @@ policy { } # - # If you want the server to pretend that it is dead, - # then use the "do_not_respond" policy. + # If you want the server to pretend that it is dead, + # then use the "do_not_respond" policy. # do_not_respond { update control { @@ -65,7 +108,9 @@ policy { } # - # Force some sanity on User-Name. This helps to avoid issues + # Filter the username + # + # Force some sanity on User-Name.This helps to avoid issues # issues where the back-end database is "forgiving" about # what constitutes a user name. # @@ -158,12 +203,12 @@ policy { # # Normalize the MAC Addresses in the Calling/Called-Station-Id # - mac-addr = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) + mac-addr-regexp = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) - # Add "rewrite.called_station_id" in the "authorize" and "preacct" + # Add "rewrite_called_station_id" in the "authorize" and "preacct" # sections. - rewrite.called_station_id { - if((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { + rewrite_called_station_id { + if(Called-Station-Id =~ /^%{config:policy.mac-addr-regexp}(:(.+))?$/i) { update request { Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } @@ -171,7 +216,7 @@ policy { # SSID component? if ("%{7}") { update request { - Called-Station-Id := "%{Called-Station-Id}:%{7}" + Called-Station-SSID := "%{7}" } } updated @@ -181,10 +226,10 @@ policy { } } - # Add "rewrite.calling_station_id" in the "authorize" and "preacct" + # Add "rewrite_calling_station_id" in the "authorize" and "preacct" # sections. - rewrite.calling_station_id { - if((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { + rewrite_calling_station_id { + if(Calling-Station-Id =~ /^%{config:policy.mac-addr-regexp}$/i) { update request { Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 32effa87c70..9495c8a6219 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -540,6 +540,12 @@ post-auth { # } # } + # Insert class attribute (with unique value) into response, + # aids matching auth and acct records, and protects against duplicate + # Acct-Session-Id. Note: Only works if the NAS has implemented + # RFC 2865 behaviour for the class attribute. + insert_acct_class + # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 3a2b6a4f0f7..e0b5dd291cc 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -132,7 +132,6 @@ ATTRIBUTE Virtual-Server 1099 string ATTRIBUTE Cleartext-Password 1100 string ATTRIBUTE Password-With-Header 1101 string ATTRIBUTE Inner-Tunnel-User-Name 1102 string - # # EAP-IKEv2 is experimental. # @@ -218,6 +217,11 @@ ATTRIBUTE Cached-Session-Policy 1135 string ATTRIBUTE MS-CHAP-New-Cleartext-Password 1136 string ATTRIBUTE MS-CHAP-New-NT-Password 1137 octets +# For default policies + +ATTRIBUTE Stripped-User-Domain 1138 string +ATTRIBUTE Called-Station-SSID 1139 string + # # Range: 1200-1279 # EAP-SIM (and other EAP type) weirdness.