Unlang
2014-02-28 17:27
190 查看
Full Name
FreeRADIUSProcessing un-language
Brief Introduction
FreeRADIUSsupports a simple processing language in its configuration files. We call it an"un-language" because the intention is NOT to create yet anotherprogramming language.
Purpose
allow simple policies to be written with minimaleffort. Those policies are then applied when a request is being processedthrough radius server. It included in the sections titled"authorize", "authenticate", "post-auth", "preacct","accounting",
"pre-proxy", "post-proxy", and"session".
Keywords
module-name
ØA reference to the named module. When processing reaches thispoint, the pre-compiled module is called. The module may succeed or fail, andwill return a status to "unlang“.
This status can be tested in a condition.
ØExample: chap # call the CHAP module
if (condition) {
...
}
else {
...
}
elsif(condition) {
...
}
Keywords
update <list> {
attribute = value
...
}
ØThe only contents permitted in an"update" section are attributes and values.
ØThe <list> can be one of"request", "reply", "proxy-request","proxy-reply", or "control".
ØThe "control" list is thelist of attributes maintained internally by the server that controls how theserver processes the request. Any attribute that does not go in a packet on thenetwork will generally be placed in the "control"
list.
eg:
elsif(("%{User-Name}" =~ /.*?@globe@aicent$/i)
){
updatecontrol {
Proxy-To-Realm:= Trial
}
}
Other keywords
Condition:
(foo):
Ønon-emptystring / non-zero number
Ønot a quotedstring: a named attribute
Ønot anattribute: a module return code
(!foo)
(foo || bar)
(foo && bar)
(foo == bar)
ØCompares 'foo'to 'bar', and evaluates to true if the comparison holds true. Valid comparisonoperators are "==", "!=", "<","<=", ">", ">=", "=~", and"!~",
all with their usual meanings. Invalid comparison operators are":=" and "=".
Data Type:
/regex/i
ØThese strings are valid only on theright-hand side of a comparison, and then only when the comparison operator is"=~" or "!~".
Ø'i' :the regularexpression match should be done in a case-insensitive fashion.
Variable:
%{Variable-Name}:
e.g.:if(("%{Client-IP-Address}"==64.124.233.254)) {
Run-time variables, no way to declarevariables, all references to variables MUST be contained inside of adouble-quoted or back-quoted string.
Variables are defined in thedictionaries, only the name and type.
When the server receives a packet, itinstantiates variables with a name taken from the dictionaries, and a valuetaken from the packet contents.
If a variable does not exist, it isusually because it was not mentioned in a packet that the server received.
Variable:
%{<list>:Attribute-Name}:
e.g.:if (proxy-request: Acct-Session-Time){
The "<list>:" prefix isoptional, and if omitted, is assumed to refer to the "request" list.
The given list is examined for anattribute of the given name. If found, the variable reference in the string isreplaced with the value of that attribute.
Results of regular expression matches
#True outbound to others
elsif("%{User-Name}" =~ /^(.*?)@true@aicent$/i){
update proxy-request {
User-Name :="%{1}"
}
}
#BT outbound to CT
elsif("%{User-Name}"=~ /^(.*?)@quico@aicent$/i) {
update proxy-request {
User-Name :="quico\/%{1}"
}
}
#SKT outbound to others
elsif("%{User-Name}" =~ /^aicent\/skt\/(.*?)$/i)
{
update proxy-request {
User-Name :="%{1}@AuthServer@aicent"
}
}
Results of regular expression matches
if (("%{AICENT-Home-Operator}" =="Sunday3G_HK") && ("%{AICENT-Visit-Operator}" =="Tomizone_NZ")) {
if("%{WISPr-Location-ID}"=~ /isocc=(.*)(,cc=.*)$/i){
if("%{1}" =~ /au/i){
}
else {
update proxy-request{
WISPr-Location-ID:="isocc=NZ%{2}"
}
}
}
}
If a regular expression match haspreviously been performed, then the special variable %{0} will contain a copyof the input string.
The variables %{1} through %{8} willcontain the substring matches, starting from the left-most parentheses.
If there are more than 8 parentheses,the additional results will not be placed into any variables.
Attribute :
The following syntax defines attributesin an "update" section. Each attribute and value has to be all on oneline in the configuration file. There is no need for commas or semi-colonsafter the value.
Attribute-Name =value
Attribute names
ØThe Attribute-Namemust be a name previously defined in a dictionary. If an undefined name isused, the server will return an error, and will not start.
Operators
Ø= Add the attributeto the list, if and only if an attribute of the same name is
not already present in that list.
Ø := Add the attributeto the list. If any attribute of the same name is already present in that list,its value is
replaced with the value of the current attribute.
Ø+= Add the attributeto the tail of the list, even if attributes of the same name arealready present in the list.
Values
ØThe format of thevalue is attribute-specific, and is usually a string, integer, IP address, etc.It’s maximum length of 253 characters.
Proxy上users_unlang.wifi:
if( ("%{User-Name}" =~ /^.*?@wig@aicent$/i)||("%{User-Name}"=~
/^aicent\/wig\/(.*?)$/i) ){
update request {
AICENT-Home-Operator :=
WirelessGate_JP
}
}
。。。。。。
elsif(("%{Client-IP-Address}"==64.124.233.254)){
if(("%{WISPr-Location-Name}"=="Tomizone:NZ")) {
update request {
AICENT-Visit-Operator :=
Tomizone_NZ
}
}
}
注意:不同属性的判断语句的关键字
Application
Proxy上preproxy_unlang.wifi:
elsif("%{User-Name}"=~ /^(.*?)@swbell.net@aicent$/i) {
update proxy-request {
User-Name :="%{1}@swbell.net"
}
}
可修改为:
elsif("%{User-Name}"=~ /^(.*?@swbell.net)@aicent$/i)
{
update proxy-request {
User-Name:="%{1}"
}
}
#SKT outbound toothers
if (!proxy-request:Calling-Station-Id) {
update proxy-request { Calling-Station-Id:="%{User-Password}"
}
}
}
#form SKT
if (!proxy-request:Event-Timestamp){
update proxy-request {
Event-Timestamp:= "%T"
}
}
"%T":request timestamp indatabase format
"%l":request timestamp
Agent上users_unlang:
if("%{Client-IP-Address}" == "10.10.8.12810.10.8.128"))
{
update control {
Proxy-To-Realm:=
AicentProxy
}
}
elsif("%{Client-IP-Address}" == "10.10.55.10110.10.55.101"))
{
update control {
Proxy-To-Realm:=
AicentProxy
}
}
。。。 。。。
修改为:
if(("%{Client-IP-Address}" != "10.10.8.12810.10.8.128")
&&("%{Client-IP-Address}" != "10.10.55.10110.10.55.101")
) {
update control {
Proxy-To-Realm:=
AicentProxy
}
}
9.26(Agent for CMCC)上的users_unlang:
if(("%{Client-IP-Address}"== '10.10.8.12810.10.8.128')
|| ("%{Client-IP-Address}" == '10.10.55.10110.10.55.101')){
update control{
Proxy-To-Realm :=
cmcc_out
}
}
改为:
if("%{AICENT-Next-Hop-Name}"== "CMCC_CN") {
update control {
Proxy-To-Realm:=
cmcc_out
}
}
在preproxy.unlang上:
elsif("%{AICENT-Home-Operator}" == "CMCC_CN"){
update proxy-request {
AICENT-Next-Hop-Name -="%{AICENT-Next-Hop-Name}"
}
}
update proxy-request {
Real-Visited-Client-IP-Address :="%{Client-IP-Address}"
}
Aicent server上的users_unlang:
if("%{User-Name}" !~ /^.*?@test[123]\.softbank\.co\.jp.*$|^.*?@m3.*$|^.*?@.\.aicent\.com.*?$|^.*?@
AuthServer.*?$|^.*?123456.*?$/i) {
aicent_local_server
}
else {
}
Call
Send SMS
Add to Skype
You'll need Skype CreditFree via Skype
FreeRADIUSProcessing un-language
Brief Introduction
FreeRADIUSsupports a simple processing language in its configuration files. We call it an"un-language" because the intention is NOT to create yet anotherprogramming language.
Purpose
allow simple policies to be written with minimaleffort. Those policies are then applied when a request is being processedthrough radius server. It included in the sections titled"authorize", "authenticate", "post-auth", "preacct","accounting",
"pre-proxy", "post-proxy", and"session".
Keywords
module-name
ØA reference to the named module. When processing reaches thispoint, the pre-compiled module is called. The module may succeed or fail, andwill return a status to "unlang“.
This status can be tested in a condition.
ØExample: chap # call the CHAP module
if (condition) {
...
}
else {
...
}
elsif(condition) {
...
}
Keywords
update <list> {
attribute = value
...
}
ØThe only contents permitted in an"update" section are attributes and values.
ØThe <list> can be one of"request", "reply", "proxy-request","proxy-reply", or "control".
ØThe "control" list is thelist of attributes maintained internally by the server that controls how theserver processes the request. Any attribute that does not go in a packet on thenetwork will generally be placed in the "control"
list.
eg:
elsif(("%{User-Name}" =~ /.*?@globe@aicent$/i)
){
updatecontrol {
Proxy-To-Realm:= Trial
}
}
Other keywords
Condition:
(foo):
Ønon-emptystring / non-zero number
Ønot a quotedstring: a named attribute
Ønot anattribute: a module return code
(!foo)
(foo || bar)
(foo && bar)
(foo == bar)
ØCompares 'foo'to 'bar', and evaluates to true if the comparison holds true. Valid comparisonoperators are "==", "!=", "<","<=", ">", ">=", "=~", and"!~",
all with their usual meanings. Invalid comparison operators are":=" and "=".
Data Type:
/regex/i
ØThese strings are valid only on theright-hand side of a comparison, and then only when the comparison operator is"=~" or "!~".
Ø'i' :the regularexpression match should be done in a case-insensitive fashion.
Variable:
%{Variable-Name}:
e.g.:if(("%{Client-IP-Address}"==64.124.233.254)) {
Run-time variables, no way to declarevariables, all references to variables MUST be contained inside of adouble-quoted or back-quoted string.
Variables are defined in thedictionaries, only the name and type.
When the server receives a packet, itinstantiates variables with a name taken from the dictionaries, and a valuetaken from the packet contents.
If a variable does not exist, it isusually because it was not mentioned in a packet that the server received.
Variable:
%{<list>:Attribute-Name}:
e.g.:if (proxy-request: Acct-Session-Time){
The "<list>:" prefix isoptional, and if omitted, is assumed to refer to the "request" list.
The given list is examined for anattribute of the given name. If found, the variable reference in the string isreplaced with the value of that attribute.
Results of regular expression matches
#True outbound to others
elsif("%{User-Name}" =~ /^(.*?)@true@aicent$/i){
update proxy-request {
User-Name :="%{1}"
}
}
#BT outbound to CT
elsif("%{User-Name}"=~ /^(.*?)@quico@aicent$/i) {
update proxy-request {
User-Name :="quico\/%{1}"
}
}
#SKT outbound to others
elsif("%{User-Name}" =~ /^aicent\/skt\/(.*?)$/i)
{
update proxy-request {
User-Name :="%{1}@AuthServer@aicent"
}
}
Results of regular expression matches
if (("%{AICENT-Home-Operator}" =="Sunday3G_HK") && ("%{AICENT-Visit-Operator}" =="Tomizone_NZ")) {
if("%{WISPr-Location-ID}"=~ /isocc=(.*)(,cc=.*)$/i){
if("%{1}" =~ /au/i){
}
else {
update proxy-request{
WISPr-Location-ID:="isocc=NZ%{2}"
}
}
}
}
If a regular expression match haspreviously been performed, then the special variable %{0} will contain a copyof the input string.
The variables %{1} through %{8} willcontain the substring matches, starting from the left-most parentheses.
If there are more than 8 parentheses,the additional results will not be placed into any variables.
Attribute :
The following syntax defines attributesin an "update" section. Each attribute and value has to be all on oneline in the configuration file. There is no need for commas or semi-colonsafter the value.
Attribute-Name =value
Attribute names
ØThe Attribute-Namemust be a name previously defined in a dictionary. If an undefined name isused, the server will return an error, and will not start.
Operators
Ø= Add the attributeto the list, if and only if an attribute of the same name is
not already present in that list.
Ø := Add the attributeto the list. If any attribute of the same name is already present in that list,its value is
replaced with the value of the current attribute.
Ø+= Add the attributeto the tail of the list, even if attributes of the same name arealready present in the list.
Values
ØThe format of thevalue is attribute-specific, and is usually a string, integer, IP address, etc.It’s maximum length of 253 characters.
Proxy上users_unlang.wifi:
if( ("%{User-Name}" =~ /^.*?@wig@aicent$/i)||("%{User-Name}"=~
/^aicent\/wig\/(.*?)$/i) ){
update request {
AICENT-Home-Operator :=
WirelessGate_JP
}
}
。。。。。。
elsif(("%{Client-IP-Address}"==64.124.233.254)){
if(("%{WISPr-Location-Name}"=="Tomizone:NZ")) {
update request {
AICENT-Visit-Operator :=
Tomizone_NZ
}
}
}
注意:不同属性的判断语句的关键字
Application
Proxy上preproxy_unlang.wifi:
elsif("%{User-Name}"=~ /^(.*?)@swbell.net@aicent$/i) {
update proxy-request {
User-Name :="%{1}@swbell.net"
}
}
可修改为:
elsif("%{User-Name}"=~ /^(.*?@swbell.net)@aicent$/i)
{
update proxy-request {
User-Name:="%{1}"
}
}
#SKT outbound toothers
if (!proxy-request:Calling-Station-Id) {
update proxy-request { Calling-Station-Id:="%{User-Password}"
}
}
}
#form SKT
if (!proxy-request:Event-Timestamp){
update proxy-request {
Event-Timestamp:= "%T"
}
}
"%T":request timestamp indatabase format
"%l":request timestamp
Agent上users_unlang:
if("%{Client-IP-Address}" == "10.10.8.12810.10.8.128"))
{
update control {
Proxy-To-Realm:=
AicentProxy
}
}
elsif("%{Client-IP-Address}" == "10.10.55.10110.10.55.101"))
{
update control {
Proxy-To-Realm:=
AicentProxy
}
}
。。。 。。。
修改为:
if(("%{Client-IP-Address}" != "10.10.8.12810.10.8.128")
&&("%{Client-IP-Address}" != "10.10.55.10110.10.55.101")
) {
update control {
Proxy-To-Realm:=
AicentProxy
}
}
9.26(Agent for CMCC)上的users_unlang:
if(("%{Client-IP-Address}"== '10.10.8.12810.10.8.128')
|| ("%{Client-IP-Address}" == '10.10.55.10110.10.55.101')){
update control{
Proxy-To-Realm :=
cmcc_out
}
}
改为:
if("%{AICENT-Next-Hop-Name}"== "CMCC_CN") {
update control {
Proxy-To-Realm:=
cmcc_out
}
}
在preproxy.unlang上:
elsif("%{AICENT-Home-Operator}" == "CMCC_CN"){
update proxy-request {
AICENT-Next-Hop-Name -="%{AICENT-Next-Hop-Name}"
}
}
update proxy-request {
Real-Visited-Client-IP-Address :="%{Client-IP-Address}"
}
Aicent server上的users_unlang:
if("%{User-Name}" !~ /^.*?@test[123]\.softbank\.co\.jp.*$|^.*?@m3.*$|^.*?@.\.aicent\.com.*?$|^.*?@
AuthServer.*?$|^.*?123456.*?$/i) {
aicent_local_server
}
else {
}
Call
Send SMS
Add to Skype
You'll need Skype CreditFree via Skype
相关文章推荐
- Debian 下安装 PPTP + RADIUS + LDAP
- 自定义菜单控制程序
- CentOS 5.7安装FreeRADIUS 1.1.3+MySQL 5.0.77结合RouteOS
- freeradius+mysql+nas(ros)
- FreeRADIUS 测试环境搭建
- FreeRADIUS 负载均衡和高可用 推荐
- FreeRADIUS + MySQL 安装配置笔记
- ossh(portal、freeradius) + nac(freeAC) + AC(汉明6100)联调
- linux搭建freeradius服务器
- freeradius 在centos上的安装和调试
- CentOS 7 FreeRadius + DaloRadius 安装与配置
- FreeRADIUS
- FreeRADIUS出现bad_certificate问题
- FreeRadius + Daloradius + Ubuntu Server 实现的无线802.1x的radius验证
- <rhel6+pptpd+freeradius+mysql>