Hi Alan
The name has to be unique.
Thanks, that is good to know.
ATTRIBUTE My-Local-Calling-Station-Id-Colon 3000 string That's good. Good for the approvement.
That should work. That is what I thought too...
You need to read the debug output. i.e. did it run the "rewrite_calling_station_id" policy? If so, which "if" condition did it run? Why? Which one happened? Read the debug output. To be honest, I DID read the debug output, but maybe I am too dumb or it just does not work as I except it to work; please see below statements and debug output:
1. configuration of rewrite_calling_station_id policy: # # Add "rewrite_calling_station_id" in the "authorize" and # "preacct" sections. # # Makes Calling-Station-ID conform to what RFC3580 says should # be provided by 802.1X authenticators. # rewrite_calling_station_id { if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { update request { &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" # Format Calling-Station-Id from format xx-xx-xx-xx-xx-xx to xx:xx:xx:xx:xx:xx and assign this to local attribute locCalling-Station-Id-Colon &My-Local-Calling-Station-Id-Colon := "Test" } updated } else { noop } } 2. it does run the rewrite_calling_station_id policy: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) policy rewrite_calling_station_id { 3. It does enter / hit the following if statement: (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE 4. it does update the request for variable Calling-Station-Id, BUT not for local / custom variable My-Local-Calling-Station-Id-Colon (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> AC-DF-A1-B1-F1-5A (0) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (0) } # update request = noop (0) [updated] = updated *** Full debug output: (0) Received Access-Request Id 143 from 130.92.42.15:60533 to 130.92.10.33:1812 length 416 (0) User-Name = "acdfa1b1f15a" (0) User-Password = "acdfa1b1f15a" (0) Service-Type = Call-Check (0) Cisco-AVPair = "service-type=Call Check" (0) Framed-MTU = 1485 (0) Message-Authenticator = 0x7e0b273f4af8061b269ca699c0d04121 (0) Cisco-AVPair = "audit-session-id=0F2A5C820000089D2A064B45" (0) Cisco-AVPair = "method=mab" (0) Cisco-AVPair = "client-iif-id=201327528" (0) Cisco-AVPair = "vlan-id=1876" (0) NAS-IP-Address = 130.92.42.15 (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Port = 4211 (0) Cisco-AVPair = "cisco-wlan-ssid=xyz-DEV" (0) Cisco-AVPair = "wlan-profile-name=xyz-DEV" (0) Called-Station-Id = "60-b9-c0-04-c4-40:xyz-DEV" (0) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (0) Airespace-Wlan-Id = 97 (0) NAS-Identifier = "60-b9-c0-04-c4-40:xyz-DEV" (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy rewrite_called_station_id { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> 60-B9-C0-04-C4-40 (0) &Called-Station-Id := 60-B9-C0-04-C4-40 (0) } # update request = noop (0) if ("%{8}") { (0) EXPAND %{8} (0) --> xyz-DEV (0) if ("%{8}") -> TRUE (0) if ("%{8}") { (0) update request { (0) EXPAND %{8} (0) --> xyz-DEV (0) &Called-Station-SSID := xyz-DEV (0) EXPAND %{Called-Station-Id}:%{8} (0) --> 60-B9-C0-04-C4-40:xyz-DEV (0) &Called-Station-Id := 60-B9-C0-04-C4-40:xyz-DEV (0) } # update request = noop (0) } # if ("%{8}") = noop (0) [updated] = updated (0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_called_station_id = updated (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (0) --> AC-DF-A1-B1-F1-5A (0) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (0) } # update request = noop (0) [updated] = updated (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_calling_station_id = updated (0) if (NAS-Identifier == "uvisrz0215.insel.ch") { (0) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (0) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (0) if (Service-Type == Call-Check) { (0) if (Service-Type == Call-Check) -> TRUE (0) if (Service-Type == Call-Check) { rlm_rest (rest): Reserved connection (0) (0) rest: Expanding URI components (0) rest: EXPAND https://ib-test.unibe.ch/ (0) rest: --> https://ib-test.unibe.ch/ (0) rest: EXPAND /wapi/v2.11.3/record:host?network=0.0.0.0/0&mac=%{My-Local-Calling-Station-Id-Colon} (0) rest: --> /wapi/v2.11.3/record:host?network=0.0.0.0/0&mac= (0) rest: Sending HTTP GET to "https://ib-test.unibe.ch/wapi/v2.11.3/record:host?network=0.0.0.0/0&mac=" (0) rest: EXPAND id_svcinfobloxro_test (0) rest: --> id_svcinfobloxro_test (0) rest: EXPAND h_rB*5i.Tkc$aCb (0) rest: --> h_rB*5i.Tkc$aCb (0) rest: Processing response header (0) rest: Status : 200 (OK) (0) rest: Type : json (application/json) (0) rest: Adding reply:REST-HTTP-Status-Code = "200" (0) rest: ERROR: Can't process VP container, expected JSON objectgot "array", skipping... (0) rest: ERROR: Server returned: (0) rest: ERROR: [] rlm_rest (rest): Released connection (0) Need more connections to reach 10 spares rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used rlm_rest (rest): Connecting to "https://ib-test.unibe.ch/" (0) [rest] = fail (0) } # if (Service-Type == Call-Check) = fail (0) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = fail (0) } # authorize = fail (0) Invalid user (rest: Can't process VP container, expected JSON objectgot "array", skipping...): [acdfa1b1f15a] (from client cisco-wlc-9800-dev-mgmt.wifi.unibe.ch port 4211 cli AC-DF-A1-B1-F1-5A) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> acdfa1b1f15a (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (rest: Can't process VP container, expected JSON objectgot "array", skipping...): [acdfa1b1f15a] (from client cisco-wlc-9800-dev-mgmt.wifi.unibe.ch port 4211 cli AC-DF-A1-B1-F1-5A) (0) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 143 from 130.92.10.33:1812 to 130.92.42.15:60533 length 38 Waking up in 3.9 seconds. (1) Received Access-Request Id 151 from 130.92.42.15:60533 to 130.92.10.33:1812 length 417 (1) User-Name = "acdfa1b1f15a" (1) User-Password = "acdfa1b1f15a" (1) Service-Type = Call-Check (1) Cisco-AVPair = "service-type=Call Check" (1) Framed-MTU = 1485 (1) Message-Authenticator = 0x906b814968c653eba3233d254f02585a (1) Cisco-AVPair = "audit-session-id=0F2A5C820000089E2A065195" (1) Cisco-AVPair = "method=mab" (1) Cisco-AVPair = "client-iif-id=1845494859" (1) Cisco-AVPair = "vlan-id=1876" (1) NAS-IP-Address = 130.92.42.15 (1) NAS-Port-Type = Wireless-802.11 (1) NAS-Port = 4211 (1) Cisco-AVPair = "cisco-wlan-ssid=xyz-DEV" (1) Cisco-AVPair = "wlan-profile-name=xyz-DEV" (1) Called-Station-Id = "60-b9-c0-04-c4-40:xyz-DEV" (1) Calling-Station-Id = "ac-df-a1-b1-f1-5a" (1) Airespace-Wlan-Id = 97 (1) NAS-Identifier = "60-b9-c0-04-c4-40:xyz-DEV" (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 60-B9-C0-04-C4-40 (1) &Called-Station-Id := 60-B9-C0-04-C4-40 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> xyz-DEV (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> xyz-DEV (1) &Called-Station-SSID := xyz-DEV (1) EXPAND %{Called-Station-Id}:%{8} (1) --> 60-B9-C0-04-C4-40:xyz-DEV (1) &Called-Station-Id := 60-B9-C0-04-C4-40:xyz-DEV (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) policy rewrite_calling_station_id { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> AC-DF-A1-B1-F1-5A (1) &Calling-Station-Id := AC-DF-A1-B1-F1-5A (1) } # update request = noop (1) [updated] = updated (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_calling_station_id = updated (1) if (NAS-Identifier == "uvisrz0215.insel.ch") { (1) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE (1) if (NAS-Port-Type =~ /Wireless-802\.11/i) { (1) if (Service-Type == Call-Check) { (1) if (Service-Type == Call-Check) -> TRUE (1) if (Service-Type == Call-Check) { rlm_rest (rest): Reserved connection (1) (1) rest: Expanding URI components (1) rest: EXPAND https://ib-test.unibe.ch/ (1) rest: --> https://ib-test.unibe.ch/ (1) rest: EXPAND /wapi/v2.11.3/record:host?network=0.0.0.0/0&mac=%{My-Local-Calling-Station-Id-Colon} (1) rest: --> /wapi/v2.11.3/record:host?network=0.0.0.0/0&mac= (1) rest: Sending HTTP GET to "https://ib-test.unibe.ch/wapi/v2.11.3/record:host?network=0.0.0.0/0&mac=" (1) rest: EXPAND id_svcinfobloxro_test (1) rest: --> id_svcinfobloxro_test (1) rest: EXPAND h_rB*5i.Tkc$aCb (1) rest: --> h_rB*5i.Tkc$aCb (1) rest: Processing response header (1) rest: Status : 200 (OK) (1) rest: Type : json (application/json) (1) rest: Adding reply:REST-HTTP-Status-Code = "200" (1) rest: ERROR: Can't process VP container, expected JSON objectgot "array", skipping... (1) rest: ERROR: Server returned: (1) rest: ERROR: [] rlm_rest (rest): Released connection (1) Need more connections to reach 10 spares rlm_rest (rest): Opening additional connection (6), 1 of 26 pending slots used rlm_rest (rest): Connecting to "https://ib-test.unibe.ch/" (1) [rest] = fail (1) } # if (Service-Type == Call-Check) = fail (1) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = fail (1) } # authorize = fail (1) Invalid user (rest: Can't process VP container, expected JSON objectgot "array", skipping...): [acdfa1b1f15a] (from client cisco-wlc-9800-dev-mgmt.wifi.unibe.ch port 4211 cli AC-DF-A1-B1-F1-5A) (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> acdfa1b1f15a (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Login incorrect (rest: Can't process VP container, expected JSON objectgot "array", skipping...): [acdfa1b1f15a] (from client cisco-wlc-9800-dev-mgmt.wifi.unibe.ch port 4211 cli AC-DF-A1-B1-F1-5A) (1) Delaying response for 1.000000 seconds Waking up in 0.9 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 151 from 130.92.10.33:1812 to 130.92.42.15:60533 length 38 Waking up in 2.3 seconds. (0) Cleaning up request packet ID 143 with timestamp +8 due to cleanup_delay was reached Waking up in 1.6 seconds. (1) Cleaning up request packet ID 151 with timestamp +10 due to cleanup_delay was reached Ready to process requests I hope, you now can understand, why I am a little perplexed by the debug output; I just can't read something that is not present in the output and I don't know why, this part is not "hit"? Regards Dominic Am 25.09.24, 17:15 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> im Auftrag von aland@deployingradius.com <mailto:aland@deployingradius.com>>: On Sep 25, 2024, at 7:40 AM, <dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>> <dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>> wrote:
Still struggling with assigning a value to the local / custom attribute:
1. added it to /etc/freeradius/dictionary like this:
--> does it need to have a naming like My-Local-xxx or are we completely free there?
The name has to be unique.
ATTRIBUTE My-Local-Calling-Station-Id-Colon 3000 string
That's good.
2. tried to add a value to the local / custom attribute in /etc/freeradius/policy.d/canonicalization:
rewrite_calling_station_id { if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { update request { &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
&My-Local-Calling-Station-Id-Colon := "Test" }
That should work.
3. Not able to get the value into /etc/freeradius/mods-available/rest --> the local / custom attribute has an empty value
No. You need to read the debug output. i.e. did it run the "rewrite_calling_station_id" policy? If so, which "if" condition did it run? Why? The point of the debug output is to read it. You can't just send the server a packet, look at the "rest" module, and then ignore the rest of it. So read it. ALL of it. Think about what it's doing.
I do not see any attribute with Name "My-Local-Calling-Station-Id-Colon" in the freeradius debug output as well.
You (a) saw it run the rewrite_calling_station_id policy, or (b) saw it NOT run the rewrite_calling_station_id policy. Which one happened? Read the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>