regular expressions in proxy.conf

Hello, I'm using Debian and Freeradius 2.0.4-3.

I want to use a regular expression in proxy.conf file to match any request that contain the word "domain" in the realm (suffix mode).


### /etc/freeradius/proxy.conf
realm "~(domain)+" {
#      authhost = LOCAL      # not strictly necessary
#      accthost = LOCAL      # not strictly necessary
}

Then, in authorize section I have:

### /etc/freeradius/sites-available/default
authorize {
    preprocess   
    mschap
    suffix
    eap {
        ok = return
    }
    if ("%{Realm}" =~ /(temp\.)?domain\.es$/){
        update control {
            Intentos-Reject = ...
        }
    }
    files

    switch "%{Realm}" {
        case "temp.domain.es" {
            sql
        }
        case "domain.es" {
            redundant {
                    ldap2
                    ldap1
                    ldap3
            }
        }
        case {
            update control {
                Auth-Type := Reject
            }
        }
    }

   expiration
    pap
}

And, in users file:

### /etc/freeradius/proxy.conf
DEFAULT Intentos-Reject > 10, Auth-Type := Reject
        Reply-Message = "NUMERO DE INTENTOS FALLIDOS(%{Intentos-Reject}) EXCEDIDO PARA %{%{Stripped-User-Name}:-%{User-Name}}"

My problem is: the Realm that Freeradius add to the request is the regular expression... Here is my debug information:

rad_recv: Access-Request packet from host 127.0.0.1 port 60112, id=208, length=68
    User-Name = "XXX@..."
    User-Password = "YYY"
    NAS-IP-Address = 127.0.1.1
    NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
    rlm_realm: Looking up realm "domain.es" for User-Name = "XXX@..."
    rlm_realm: Found realm "~(domain)+"
    rlm_realm: Adding Stripped-User-Name = "XXX"
    rlm_realm: Adding Realm = "~(domain)+"
    rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++? if ("%{Realm}" =~ /(temp\.)?domain\.es$/)
    expand: %{Realm} -> ~(domain)+
? Evaluating ("%{Realm}" =~ /(temp\.)?domain\.es$/) -> FALSE
++? if ("%{Realm}" =~ /(temp\.)?domain\.es$/) -> FALSE
++[files] returns noop
    expand: %{Realm} -> ~(domain)+
++- entering switch %{Realm}
+++- entering case
++++[control] returns noop
+++- case  returns noop
++- switch %{Realm} returns noop

I can resolve this adding this to proxy.conf:

### /etc/freeradius/proxy.conf

realm "domain.es" {
      authhost = LOCAL      # not strictly necessary
      accthost = LOCAL      # not strictly necessary
}

realm "temp.domain.es" {
      authhost = LOCAL      # not strictly necessary
      accthost = LOCAL      # not strictly necessary
}

realm "~(domain)+" {
      authhost = LOCAL      # not strictly necessary
      accthost = LOCAL      # not strictly necessary
}


But I don't know if that is the best way to resolve my problem, so I would like to reinforce my decision.

Thanks in advance and sorry for my english.


--
____________________

 Ana Gallardo Gómez
____________________

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sorry to ask again the same, but I don't know if it's OK that Freeradius add the attribute Realm with the regex value.

Thank you very mutch.




--
____________________

 Ana Gallardo Gómez
____________________

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ana Gallardo wrote:
> Sorry to ask again the same, but I don't know if it's OK that Freeradius
> add the attribute Realm with the regex value.

  It probably should add the matching string, rather than the regex.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html