extensions.texi

gnu 的radius服务器很好用的

integer
max_decode_port(integer P, integer portcnt)
@{
    if (P > 9999) @{
        integer s, l, c;

        s = P / 10000;
        l = (P - (10000 * s))/100; 
        c = P - ((10000 * s) + (100 * l)); 
        return (c-1) + (l-1) * portcnt;
    @}
    return P;
@}
@end group

@group
/*
 * Interface function for MAX terminal server with 23 ports.
 * Note that it saves the received NAS-Port-Id attribute in
 * the Orig-NAS-Port-Id attribute. The latter must be
 * defined somewhere in the dictionary
 */
integer
max_fixup()
@{
    %[Orig-NAS-Port-Id] = %[NAS-Port-Id];
                                  # Preserve original data
    %[NAS-Port-Id] = max_decode_port(%[NAS-Port-Id], 23);
    return 0;
@}
@end group
@end smallexample

@subheading 2. Session @sc{id} parsing for Cisco AS 5300 series

Cisco @sc{voip ios} encodes a lot of other information into its
@attr{Acct-Session-Id}. The pieces of information are separated by
@samp{/} characters. The part of @attr{Acct-Session-Id} up to the first
@samp{/} character is the actual session @sc{id}.

On the other hand, its accounting packets lack @attr{NAS-Port-Id},
though they may contain the vendor-specific pair with code 2
(vendor @sc{pec} 9), which is a string in the form @samp{ISDN 9:D:999}
(@samp{9} represents any decimal digit). The number after the last
@samp{:} character can be used as a port number.

The following code parses @attr{Acct-Session-Id} attribute and stores
the information it contains in various other attributes, generates a
normal @attr{Acct-Session-Id}, and attempts to generate a
@attr{NAS-Port-Id} attribute.

@smallexample
@group
/* 
 * The port rewriting function for Cisco AS5300 used for
 * VoIP. This function is used to generate NAS-Port-Id pair
 * on the basis of vendor-specific pair 2. If the latter is
 * in the form "ISDN 9:D:999" (where each 9 represents a
 * decimal digit), then the function returns the number
 * after the last colon. This is used as a port number.
 */
integer
cisco_pid(string A)
@{
    if (A =~ 
        ".*\([0-9][0-9]*\):
         [A-Z0-9][A-Z0-9]*:\([0-9][0-9]*\)") @{
        return (integer)\2;
    @}
    return -1;
@}
@end group

@group
/*
 * This function parses the packed session id.
 * The actual sid is the number before the first slash
 * character.  Other possibly relevant fields are also
 * parsed out and saved in the Voip-* A/V pairs. The latter
 * should be defined somewhere in the dictionary.
 * Note that the regular expression in this example
 * spans several lines for readability. It should be on one 
 * line in real file.
 */
string
cisco_sid(string S)
@{
   if (S =~ "\(.[^/]*\)/[^/]*/[^/]*/\([^/]*\)/\([^/]*\)/
             \([^/]*\)/\([^/]*\)/\([^/]*\)/\([^/]*\)
             /\([^/]*\).*") @{
        %[Voip-Connection-ID] = \2;
        %[Voip-Call-Leg-Type] = \3;
        %[Voip-Connection-Type] = \4;
        %[Voip-Connect-Time] = \5;
        %[Voip-Disconnect-Time] = \6;
        %[Voip-Disconnect-Cause] = \7;
        %[Voip-Remote-IP] = \8;
        return \1;
   @} 
   return S;
@}
@end group

@group
/*
 * Normalize cisco AS5300 packets
 */
integer
cisco_fixup()
@{
    integer pid;

    if ((pid = cisco_pid(%[Cisco-PRI-Circuit])) != -1) @{
        if (*%[NAS-Port-Id])
            %[Orig-NAS-Port-Id] = %[NAS-Port-Id];
        %[NAS-Port-Id] = pid;
    @}
    if (*%[Acct-Session-Id]) @{
        %[Orig-Acct-Session-Id] = %[Acct-Session-Id];
        %[Acct-Session-Id] = cisco_sid(%[Acct-Session-Id]);
    @}
    return 0;
@}
@end group
@end smallexample

@subheading 3. User-name rewriting for @sc{nt} machines

Users coming from Windows @sc{nt} machines often authenticate themselves as
@samp{NT_DOMAIN\@var{username}}. The following function selects the
user-name part and stores it in the @attr{User-Name} attribute:

@smallexample
@group
integer
login_nt(string uname)
@{
    integer i;
        
    if ((i = index(uname, '\\')) != -1)
        return substr(uname, i+1, -1);
    return uname;
@}

integer
nt_rewrite()
@{
    %[Orig-User-Name] = %[User-Name];
    %[User-Name] = login_nt(%[User-Name]);
    return 0;
@}
@end group
@end smallexample

@comment *L2**************************************************************
@node Login Verification Functions
@subsection Login Verification Functions
@cindex Rewrite, login verification functions

A login verification function is invoked to process the output from the
@NAS{}. This process is described in @ref{Multiple Login Checking}.
The function to be invoked for given @NAS{} is defined by
a @code{function} flag in the @file{raddb/nastypes} or @file{raddb/naslist}
file (@pxref{nastypes file}). It must be defined as follows:

@deftypefn {Function Template} integer check (string @var{str}, string @var{name}, integer @var{pid}, string @var{sid})
@end deftypefn

@noindent
Its arguments are:

@table @var
@item str
Input string. If the query method is @code{finger}, this is the string
of output received from the @NAS{} with trailing newline stripped off. If
the query method is @code{snmp}, it is the received variable value
converted to its string representation.
@item name
User name.
@item pid
Port @sc{id} of the session.
@item sid
Session @sc{id}.
@end table

The function should return non-0 if its arguments match the user's
session, and 0 otherwise.

@menu
* Example: Examples of Login Verification Functions
@end menu

@comment **L4*************************************************************
@node Examples of Login Verification Functions
@subsubsection Examples of Login Verification Functions
@exindex Login verification functions

@exindex Checking UNIX @code{finger} output
As an example, let's consider the function for analyzing a 
line of output from a standard @acronym{UNIX} @code{finger}
service. In each line
of @code{finger} output the first field contains the user name; the
third field, the
@c{tty} number (port @sc{id}); and the seventh field, the session @sc{id}.
The function must return 1 if the three fields match the input
user name and port and session @sc{id}s:

@smallexample
integer
check_unix(string str, string name, integer pid, string sid)
@{
    return field(str, 1) == name
           && field(str, 3) == pid
           && field(str, 7) == sid;
@}
@end smallexample

@c @xref{UNIX Finger}.

@exindex Analyzing SNMP output
The next example is a function to analyze a line of output from an SNMP
query returning a user name. This function must return 1 if the entire input
line matches the user name:

@smallexample
integer
check_username(string str, string name, integer pid, string sid)
@{
    return str == name;
@}
@end smallexample

@comment **L3***************************************************************
@node Attribute Creation Functions
@subsection Attribute Creation Functions
@cindex Rewrite, attribute creation functions

These are the functions used to create Radius reply attributes. An
attribute creation function can take any number of arguments. The type
of its return is determined by the type of Radius attribute the
value will be assigned to. To invoke the function, write its name
in the @AVP{} of the @RHS{} in the @file{raddb/users} file, e.g.:

@smallexample
@group
DEFAULT Auth-Type = SQL
        Service-Type = Framed-User,
            Framed-IP-Address = "=get_ip_addr(10.10.10.1)"
@end group
@end smallexample

@noindent
The function @code{get_ip_addr} will be invoked after successful
authentication and it will be passed the IP @code{10.10.10.1} as its
argument. An example of a useful function that can be invoked this
way is

@smallexample
@group
@exindex IP pools for MAX Ascend 
integer
get_ip_address(integer base)
@{
    return base + %[NAS-Port-Id] - %[NAS-Port-Id]/16;
@}
@end group
@end smallexample

@comment **L3***************************************************************
@node Logging Hook Functions
@subsection Logging Hook Functions
@cindex Rewrite, Logging Hook Functions

A logging hook functions should be declared as follows:

@deftypefn {Function Template} string hook (integer @var{reqtype}, string @var{nasid}, integer @var{reqid})
@table @var
@item reqtype
Type of the request. It can be converted to string using
@code{request_code_string} function (@pxref{Built-in Functions}).
@item nasid
@NAS{} identifier from @file{raddb/naslist}, or its host name if not
declared there
@item reqid
Request identifier.
@end table
@end deftypefn

Notice that the hook function @emph{shall not} produce any side effects,
in particular it shall not modify the incoming request in any way.

Following is an example prefix hook function that formats the
incoming request data:

@smallexample
string
compat_log_prefix(integer reqtype, string nas, integer id)
@{
        string result;

        return "(" + request_code_string(reqtype) + " "
                   + nas + " " + (string)id + " " + %[User-Name] + ")";
@}
@end smallexample

Here is a sample log produced by @command{radiusd} before and after
enabling this function:

@smallexample
@cartouche
Auth.notice: Login OK [jsmith]
@dots{}
Auth.notice: (AUTHREQ nas-2 251 jsmith): Login OK [jsmith]
@end cartouche
@end smallexample

@comment *L2****************************************************************
@node Full Syntax Description
@subsection Full Syntax Description
@cindex Rewrite, syntax of the language

@menu
* Data types::
* Symbols::
* Identifiers::
* Declarations::
* Statements::
* Regular Expressions::
* Built-in Functions::
@end menu

@comment **L4***************************************************************
@node Data types
@subsubsection Rewrite Data Types
@cindex Data types, Rewrite
@cindex Rewrite, data types

There are only two data types: @code{integer} and @code{string}, 
the two being coercible to each other in the sense that a string
can be coerced to an integer if it contains a valid @sc{ascii} representation
of a decimal, octal, or hex number, and an integer can always be coerced
to a string, the result of such coercion being the @sc{ascii} string
that is the
decimal representation of the number.

@comment **L4***************************************************************
@node Symbols
@subsubsection Rewrite Symbols
@cindex Symbols, Rewrite
@cindex Rewrite, symbols

A @dfn{symbol} is a lexical token. The following symbols are recognized:

@table @asis
@item Arithmetical operators
These are @samp{+}, @samp{-}, @samp{*}, @samp{/} representing the basic
arithmetical operations, and @samp{%} meaning remainder.
@item Comparison operators
These are: @samp{==}, @samp{!=}, @samp{<}, @samp{<=}, @samp{>},
@samp{>=} with the same meaning they have in C. Special operators
are provided for regular-expression matching. The binary
operator @samp{=~} returns true if its left-hand-side operand
matches the regular expression on its right-hand side
(@pxref{Regular Expressions}). @samp{!~} returns true if its
left-hand-side operand does @emph{not} match
the regexp on its right-hand side. The right-hand-side operand of
@samp{!~} or @samp{=~} must be a literal string, i.e., the regular
expression must be known at compile time.
@item Unary operators
The unary operators are @samp{-} and @samp{+} for unary plus and minus,
@samp{!} for boolean negation, and @samp{*} for testing for the
existence of an attribute.
@item Boolean operators
These are @samp{&&} and @samp{||}.
@item Parentheses @samp{(} and @samp{)}
These are used to change the precedence of operators, to introduce
type casts (type coercions), to declare functions, and to pass actual
arguments to functions.
@item Curly braces (@samp{@{} and @samp{@}})
These are used to delimit blocks of code.
@item Numbers
Numbers follow the usual C convention for integers. A number consisting of
a sequence of digits is taken to be octal if it begins with @samp{0}
(digit zero), and decimal otherwise. If the sequence of digits is
preceded by @samp{0x} or @samp{0X}, it is taken to be a hexadecimal
integer.
@item IP Numbers
IP numbers are represented by a standard numbers-and-dots notation.
IP numbers do not constitute a separate data type, rather they are
in all respects similar to initeger numbers.
@item Characters
These follow the usual C convention for characters, i.e., they consist
either of
an @sc{ascii} character itself or of its value, enclosed in a pair of
singlequotes.
The character value begins with @samp{\} (backslash) and
consists either of three octal or of two hexadecimal digits.
A character does not form a special data type; it is represented
internally by an integer.
@item Quoted strings
These follow slightly modified C conventions for strings. A string is
a sequence of characters surrounded by double quotes, as in
@samp{"..."}. In a string, the double quote character @samp{"} must be
preceeded by a backslash @samp{\}. A @samp{\} and an immediately following
newline are ignored. Following escape sequences have special meaning:

@table @asis
@item \a
Audible bell character (ASCII 7)
@item \b
Backspace (ASCII 8)
@item \e
Escape character (ASCII 27)
@item \f
Form feed (ASCII 12)
@item \n
Newline (ASCII 10)
@item \r
Carriage return (ASCII 13)
@item \t
Horizontal tab (ASCII 9)
@item \\
Backslash
@item \ooo
(@samp{o} represents an octal digit)
A character whose ASCII value is represented by the octal number @samp{ooo}.
@item \xHH
@itemx \XHH
(@samp{H} represents a hex digit)
A character whose ASCII value is represented by the hex number @samp{HH}.
@item \(
Two characters @samp{\(}.
@item \)
Two characters @samp{\)}.
@end table

If the character following the backslash is not one of those
specified, the backslash is ignored.


@item Attribute values
The incoming request is passed implicitly to functions invoked via the
@attr{Rewrite-Function} attribute. It is kept as an associative array,
whose entries can be accessed using the following syntax:

@smallexample
@samp{%[} @var{attribute-name} @samp{]}
@samp{%[} @var{attribute-name} @samp{]} @samp{(} @var{n} @samp{)}
@end smallexample

@noindent
The first form returns the value of the attribute @var{attribute-name}.
Here @var{attribute-name} should be a valid Radius dictionary name
(@pxref{dictionary file}).

The second form returns the value of the @var{n}th attribute of type