freeradius-server icon indicating copy to clipboard operation
freeradius-server copied to clipboard

Published 20 hours ago verified publisher icon FreeRADIUS

[defect]: regex string operator match doesn't work on "Packet-Src-IP-Address" (integer type attributes??) in the "huntgroup" selection

Open pamribeirox opened this issue 3 years ago • 1 comments

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

Reproduced in Debian 11 using the stock installs of 3.0.25 and 3.2.0, match was working as expected on 2.x series

Add this lines to the end of the huntgroups" file:

hgregex1 Packet-Src-IP-Address =~ '^127.' hgregex2 Packet-Src-IP-Address =~ '127.' hgregex3 Packet-Src-IP-Address =~ '^127' hgregex4 Packet-Src-IP-Address =~ '127' hgregex5 User-Name =~ '^127.' hgcompare Packet-Src-IP-Address == 127.0.0.1

In "sites-enabled/default" add this lines after the "preprocess" in the "authorize" section: (just to show the value of Huntgroup-Name in the debug log)

update reply { &Tmp-String-0 := "%{Huntgroup-Name}" }

Run the server in debug mode and do some authentication request

Log output from the FreeRADIUS daemon

In the log we can see the regex operator doesn't seem to properly evaluate the synthetic Packet-Src-IP-Address attribute and only the == operator matches.

(0) preprocess: EXPAND ^127\.
(0) preprocess:    --> ^127\.
(0) preprocess: EXPAND 127\.
(0) preprocess:    --> 127\.
(0) preprocess: EXPAND ^127
(0) preprocess:    --> ^127
(0) preprocess: EXPAND 127
(0) preprocess:    --> 127
(0) preprocess: EXPAND ^127\.
(0) preprocess:    --> ^127\.
(0) preprocess: EXPAND %{Packet-Src-IP-Address}
(0) preprocess:    --> 127.0.0.1
(0)     [preprocess] = ok
(0)     update reply {
(0)       EXPAND %{Huntgroup-Name}
(0)          --> hgcompare
(0)       &Tmp-String-0 := hgcompare
(0)     } # update reply = noop

Now testing again using a tweaked username ( 127.username ) the attribute ( User-Name type string ) matches in the regex.
It seems the regex match isn't working on integer attributes??

(0) preprocess: EXPAND ^127\.
(0) preprocess:    --> ^127\.
(0) preprocess: EXPAND 127\.
(0) preprocess:    --> 127\.
(0) preprocess: EXPAND ^127
(0) preprocess:    --> ^127
(0) preprocess: EXPAND 127
(0) preprocess:    --> 127
(0) preprocess: EXPAND ^127\.
(0) preprocess:    --> ^127\.
(0)     [preprocess] = ok
(0)     update reply {
(0)       EXPAND %{Huntgroup-Name}
(0)          --> hgregex5
(0)       &Tmp-String-0 := hgregex5
(0)     } # update reply = noop

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

No response

pamribeirox avatar Aug 29 '22 17:08 pamribeirox

Unfortunately that is the way it works.

You can copy Packet-Src-IP-Address to another attribute of type string, and then run the regular expression on that.

alandekok avatar Aug 29 '22 17:08 alandekok