Dell PowerConnect W Clearpass 100 Software 3.9 Deployment Guide - Page 117
Example: Removing a User-Name Suffix, Removing a Variable-Length Suffix
View all Dell PowerConnect W Clearpass 100 Software manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 117 highlights
Example: Removing a User-Name Suffix Some NAS equipment always appends a realm in the form '@domain.com' to a RADIUS User-Name attribute in the Access-Request message sent to the RADIUS server. It is possible to configure the RADIUS server to strip off this additional text, using the attr_rewrite module. Use the following Server Configuration entries to perform this modification: module.attr_rewrite.consentry.attribute = User-Name module.attr_rewrite.consentry.searchin = packet module.attr_rewrite.consentry.searchfor = "@consentry.com$" module.attr_rewrite.consentry.replacewith = "" authorize.after_preprocess.0.name = consentry Here, an instance of the attr_rewrite module is created, named "consentry". Any trailing text that matches the pattern "@consentry.com" in the User-Name attribute will be removed before the RADIUS server attempts authentication. Removing a Variable-Length Suffix The Consentry NAS limits username fields to 32 characters. Many email addresses are longer than this, especially when an additional @realm is appended, so the suffix string might be truncated at an arbitrary point. The following server configuration option can be used in this situation: module.attr_rewrite.consentry.searchfor = "@consentry\\.com$|@consentry\\.co$|@consentry\\.c$|@consentry\\.$|@consentry$|@cons entr$|@consent$|@consen$|@conse$|@cons$|@con$|@co$|@c$|@$" Example: Correcting the NAS-IP-Address Attribute Some NAS equipment (notably Chillispot) will send a NAS-IP-Address of 0.0.0.0 in accounting records, which renders the active sessions list view useless as well as any attempt to perform RFC 3576 management such as a session disconnect. This can be fixed by using the Client-IP-Address internal attribute and rewriting the accounting packet so that the actual IP address the packet is received from is recorded: # Fix incoming NAS-IP-Address of 0.0.0.0 module.attr_rewrite.fix_nas_ip.attribute = NAS-IP-Address module.attr_rewrite.fix_nas_ip.searchin = packet module.attr_rewrite.fix_nas_ip.searchfor = "^0.0.0.0$" module.attr_rewrite.fix_nas_ip.replacewith = "%{Client-IP-Address}" preacct.after_preprocess.0.name = "fix_nas_ip" Example: Adding a Reply-Message to an Access-Reject Packet The postauth.reject.append configuration item can be used to define attribute rewriting specific to the Access-Reject packet: # adding Reply-Message to an Access-Reject module.attr_rewrite.reject_message.attribute = Reply-Message module.attr_rewrite.reject_message.searchin = reply module.attr_rewrite.reject_message.new_attribute = yes module.attr_rewrite.reject_message.replacewith = "Authorization failed" postauth.reject.append.0.name = reject_message User Roles Each user in the RADIUS database is assigned a role. A user role is a group of RADIUS attributes and rules that define when those attributes should be applied. ClearPass Guest 3.9 | Deployment Guide RADIUS Services | 117