2015-03-26 14:36 GMT+01:00 James Wood <james.wood@purplewifi.com>:
Adam,
I would love to, but it is not under our control. As a hotspot provider, that supplies tens of thousands of customers around the world, all using different IP addresses (that change), we simply cannot use the normal way of auth via the source IP. We do not own the customers (NAS) equipment, or have control over it, so we can't make them VPN all traffic to us or other way. This is why we're having to auth on Called-Station-Id instead of IP Address.
Does that mean that you neither supply nor enforce a list of accepted devices but that customers can use any wifi AP they want? What if one of these devices doesn't send a Called-Station-Id at all or uses the MAC of the supplicant (which should be Calling-Station-Id) for the Called-Station-Id? Do you then disallow the usage of that NAS or do you try to modify your Radius to also accept these NAS data too? My NAS all have static IPs, all supplicants have dynamic IPs, however (yet) my Radius doesn't check for IPs but only for Called-Station-Id, Called-Station-Ssid and Calling-Station-Id so it would work in a complete dynamic ip setup too.
If you can think of a better way, please advise.
1) Don't use unlang (if () {} ...) in the server configurations. Instead simply call a policy (eg. policy.sanitize_called-station-id) and do all the if then else stuff in that policy itself. It keeps your server config clean and you can easily disable a policy without having to comment out or delete plenty of lines. 2) Sanitize all informations you get as soon as possible so that you don't have to tweak over and over again for subsequent checks you may be doing in the future.
My original question remains, how can the module rewrite.called_station_id be used with a dynamic client setup? At the moment it does not work, so is that a bug, problem with my code, or something else?
# sites-enabled/something server something { ... authorize { policy.sanitize_called-station-id ... } ... } # policy.conf mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})' policy.sanitize_called-station-id { if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { update request { &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } updated } else { noop } } That's it. As I wrote in my previous email that regex is the standard in the freeradius source 3.0.7 and as well in the old 2.1.12 debian package and it matches variants of the following: 00-11-22-33-44-55 00-11-22-33-44-55:SSID Also the delimiter can be anything except 0-9 or a-f so even 00Z11=22$33(44)55 (and for sure 001122334455) would be sanitized to 00-11-22-33-44-55. In my setup I also use Called-Station-Ssid but you don't use it in your setup I just removed the lines. Regardless of if a customers NAS sends the SSID suffixed to the mac address or not, the Called-Station-Id will always gets rewritten to 00-11-22-33-44-55 and the maybe attched SSID gets dropped. If you want to know why your current setup is not working, send your policy.conf to me (not the list). Maybe someone "improved" your regex and that's why it's not matching and thus not rewriting :) Best regards, Ben