Unlang

Full Name

FreeRADIUSProcessing un-language

Brief Introduction

FreeRADIUSsupports a simple processing language in its configuration files. We call it an"un-language" because the intention is NOT to create yet anotherprogramming language.

Purpose

allow simple policies to be written with minimaleffort. Those policies are then applied when a request is being processedthrough radius server. It included in the sections titled"authorize", "authenticate", "post-auth", "preacct","accounting", "pre-proxy", "post-proxy", and"session".

Keywords

module-name

ØA reference to the named module. When processing reaches thispoint, the pre-compiled module is called. The module may succeed or fail, andwill return a status to "unlang“. This status can be tested in a condition.

ØExample: chap # call the CHAP module

if (condition) {
  ...
}

else {
  ...
}

elsif(condition) {
  ...
}

Keywords

update <list> {
  attribute = value
...
}

ØThe only contents permitted in an"update" section are attributes and values.

ØThe <list> can be one of"request", "reply", "proxy-request","proxy-reply", or "control".

ØThe "control" list is thelist of attributes maintained internally by the server that controls how theserver processes the request. Any attribute that does not go in a packet on thenetwork will generally be placed in the "control" list.

  eg:elsif(("%{User-Name}" =~ /.*?@globe@aicent$/i) ){

  updatecontrol {

                  Proxy-To-Realm:= Trial

         }

        }

Other keywords

Condition:

(foo):

Ønon-emptystring / non-zero number

Ønot a quotedstring: a named attribute

Ønot anattribute: a module return code

(!foo)

(foo || bar)

(foo && bar)

(foo == bar)

ØCompares 'foo'to 'bar', and evaluates to true if the comparison holds true. Valid comparisonoperators are "==", "!=", "<","<=", ">", ">=", "=~", and"!~", all with their usual meanings. Invalid comparison operators are":=" and "=".

Data Type:

/regex/i

ØThese strings are valid only on theright-hand side of a comparison, and then only when the comparison operator is"=~" or "!~".

Ø'i' :the regularexpression match should be done in a case-insensitive fashion.

Variable:

%{Variable-Name}:

  e.g.:if(("%{Client-IP-Address}"==64.124.233.254)) {

Run-time variables, no way to declarevariables, all references to variables MUST be contained inside of adouble-quoted or back-quoted string.

Variables are defined in thedictionaries, only the name and type.

When the server receives a packet, itinstantiates variables with a name taken from the dictionaries, and a valuetaken from the packet contents.

If a variable does not exist, it isusually because it was not mentioned in a packet that the server received.

Variable:

%{<list>:Attribute-Name}:

  e.g.:if (proxy-request: Acct-Session-Time){

The "<list>:" prefix isoptional, and if omitted, is assumed to refer to the "request" list.

The given list is examined for anattribute of the given name. If found, the variable reference in the string isreplaced with the value of that attribute.

Results of regular expression matches

#True outbound to others

elsif("%{User-Name}" =~ /^(.*?)@true@aicent$/i){

               update proxy-request {

                      User-Name :="%{1}"

                }

}

#BT outbound to CT

elsif("%{User-Name}"=~ /^(.*?)@quico@aicent$/i) {

               update proxy-request {

                       User-Name :="quico\/%{1}"

               }

}

#SKT outbound to others

elsif("%{User-Name}" =~ /^aicent\/skt\/(.*?)$/i) {

               update proxy-request {

                      User-Name :="%{1}@AuthServer@aicent"

                }

}

Results of regular expression matches

if (("%{AICENT-Home-Operator}" =="Sunday3G_HK") && ("%{AICENT-Visit-Operator}" =="Tomizone_NZ")) {

       if("%{WISPr-Location-ID}"=~ /isocc=(.*)(,cc=.*)$/i){

                if("%{1}" =~ /au/i){

                }

               else {

                       update proxy-request{

                                WISPr-Location-ID:="isocc=NZ%{2}"

                       }

                }

        }

}

If a regular expression match haspreviously been performed, then the special variable %{0} will contain a copyof the input string.

The variables %{1} through %{8} willcontain the substring matches, starting from the left-most parentheses.

If there are more than 8 parentheses,the additional results will not be placed into any variables.

Attribute :

The following syntax defines attributesin an "update" section. Each attribute and value has to be all on oneline in the configuration file. There is no need for commas or semi-colonsafter the value.

  Attribute-Name =value

Attribute names

ØThe Attribute-Namemust be a name previously defined in a dictionary. If an undefined name isused, the server will return an error, and will not start.

Operators

Ø= Add the attributeto the list, if and only if an attribute of the same name isnot already present in that list.

Ø := Add the attributeto the list. If any attribute of the same name is already present in that list,its value isreplaced with the value of the current attribute.

Ø+= Add the attributeto the tail of the list, even if attributes of the same name arealready present in the list.

Values

ØThe format of thevalue is attribute-specific, and is usually a string, integer, IP address, etc.It’s maximum length of 253 characters.

Proxy上users_unlang.wifi:

if( ("%{User-Name}" =~ /^.*?@wig@aicent$/i)||("%{User-Name}"=~ /^aicent\/wig\/(.*?)$/i) ){

        update request {

           AICENT-Home-Operator := WirelessGate_JP

        }

}

。。。。。。

elsif(("%{Client-IP-Address}"==64.124.233.254)){

   if(("%{WISPr-Location-Name}"=="Tomizone:NZ")) {

      update request {

         AICENT-Visit-Operator :=  Tomizone_NZ

       }

   }

}

注意：不同属性的判断语句的关键字

Application

Proxy上preproxy_unlang.wifi:

elsif("%{User-Name}"=~ /^(.*?)@swbell.net@aicent$/i) {

                update proxy-request {

                        User-Name :="%{1}@swbell.net"

               }

}

可修改为：

elsif("%{User-Name}"=~ /^(.*?@swbell.net)@aicent$/i) {

                update proxy-request {

                        User-Name:="%{1}"

               }

}

#SKT outbound toothers

if (!proxy-request:Calling-Station-Id) {

  update proxy-request {  Calling-Station-Id:="%{User-Password}"

  }

    }

}

#form SKT

if (!proxy-request:Event-Timestamp){

  update proxy-request {

      Event-Timestamp:= "%T"

  }

}

"%T"：request timestamp indatabase format

"%l"：request timestamp

Agent上users_unlang:

if("%{Client-IP-Address}" == "10.10.8.12810.10.8.128")) {

  update control {

          Proxy-To-Realm:= AicentProxy

          }

}

elsif("%{Client-IP-Address}" == "10.10.55.10110.10.55.101")) {

  update control {

          Proxy-To-Realm:= AicentProxy

          }

}

。。。  。。。

修改为：

if(("%{Client-IP-Address}" != "10.10.8.12810.10.8.128") &&("%{Client-IP-Address}" != "10.10.55.10110.10.55.101") ) {

  update control {

          Proxy-To-Realm:= AicentProxy

          }

}

9.26(Agent for CMCC)上的users_unlang：

if(("%{Client-IP-Address}"== '10.10.8.12810.10.8.128') || ("%{Client-IP-Address}" == '10.10.55.10110.10.55.101')){

        update control{

                Proxy-To-Realm := cmcc_out

        }

}

改为：

if("%{AICENT-Next-Hop-Name}"== "CMCC_CN") {

  update control {

          Proxy-To-Realm:= cmcc_out

    }  

}

在preproxy.unlang上：

elsif("%{AICENT-Home-Operator}" == "CMCC_CN"){

                update proxy-request {

                       AICENT-Next-Hop-Name -="%{AICENT-Next-Hop-Name}"

                }

}

  update proxy-request {

  Real-Visited-Client-IP-Address :="%{Client-IP-Address}"

  }

Aicent server上的users_unlang：

if("%{User-Name}" !~ /^.*?@test[123]\.softbank\.co\.jp.*$|^.*?@m3.*$|^.*?@.\.aicent\.com.*?$|^.*?@

AuthServer.*?$|^.*?123456.*?$/i) {

        aicent_local_server

}

else {

}

Call

Send SMS

Add to Skype

You'll need Skype CreditFree via Skype