convert mac adresses to lower case

Alexander Clouter alex at digriz.org.uk
Mon Sep 20 15:51:49 CEST 2010


PENZ Robert <ROBERT.PENZ at tirol.gv.at> wrote:
> 
> and I've different switch types. Some send the MAC address lower case 
> the others upper case. For switches which send it lower it case it 
> works (as the macs are stored lower case in the db). How can I convert 
> them all in the clear text password attribute to lower case? The 
> attr_rewrite module looks good, but the only way I see is to have 6 
> rewrite rules each replacing one letter, but that seems inefficient. 
> The matching in the SQL Database works case insensitive and returns a 
> row but the pap check logs following:
>
Do the mac-auth via unlang and not PAP.
----
policy {
  ...

  mac_auth {
    if (Realm == NULL && !(EAP-Message) && NAS-Port-Type == Ethernet \
		&& Service-Type == Call-Check \
		&& User-Name == "%{User-Password}" \
		&& User-Name =~ /^[0-9a-f]{12}$/i \
		&& Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i \
		&& User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i) {
      ok
    }
    else {
      noop
    }
  }

  ...
}

authorize {
  ...

  mac_auth
  if (ok) {
    update control {
      Auth-Type := Accept
    }

    # 'handled' does not work here
    ok = return
  }

  ...
}
----

You might need to tweak the policy{} rule to meet your local needs; the 
above is what I use for our Cisco switches.  You could tweak the above 
so that 'mac_auth' sets 'Cleartext-Password = "%{User-Password}"' but 
I personally cannot see the reason to bother when you can just skip 
authenticate{} completely.

If you really do need to lowercase something, the only way to do it 
really is to use 'exec' and call 'tr A-F a-f', nasty but it works.

Cheers

-- 
Alexander Clouter
.sigmonster says: Don't guess -- check your security regulations.




More information about the Freeradius-Users mailing list