On Jun 3, 2022, at 10:43 AM, David le Roux <david.leroux@miller.co.uk> wrote:
The "invalid user" message is correct. The MAC address in the User-Name isn't found in the "authorized_macs" list. Note that it does it's lookup by exact string match. So check that the MAC address is listed, and has exactly the same format.
I've checked an the mac is certainly there in lower case.
OK, that's good.
However I notice this in the debug:
(2) update request { (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> 08-00-0F-82-64-F0
I can't find anywhere in the config a command to make it upper case (though several "to lower"). Do I need to make my entire list upper case or am I missing a config option?
"tolower" works instead of "toupper". Just edit the rewrite_calling_station_id policy (policy.d/canonicalize) to use "tolower" instead of "toupper" Whatever you choose, you MUST choose a consistent setup. The lookups in the "authorized_macs" list are doing an exact string match. So you need to ensure that all of the entries are all either lowercase, or all uppercase. And then use the rewrite_calling_station_id policy to mash the attribute in the packet to the matching case. Oh, and that policy is there because NAS vendors send MAC addresses in a variety of formats. 00:01:02:04:04:04, or using dashes, or just hex all mashed together. The policy re-writes that to a sane format (00-01-03-04...). Again, you have to ensure that the authorized_macs file contains this exact format. That way when you either buy a new NAS (which uses a different format), or the NAS firmware updates (and changes to a different format), you won't run into this issue again. The policy will just automagically fix things, and it will be fine. Alan DeKok.