It was staring me in the eye. if*(!"%{sql_mac:SELECT COUNT(*) FROM arguswifi.macaddress WHERE mac = '%{Calling-Station-ID}'}" == 1)*{ reject } On Thu, 5 Nov 2015 at 16:54 Bertalan Voros <bertalan.voros@gmail.com> wrote:
Hello All,
I have just migrated our existing v2.5 server's config to a new one using the most recent stable version.
The migration was done by editing each configuration file one by one, none of the files were directly copied.
All is well, everything appears to be working as expected apart from one slight problem.
There is a mac address check in the Authorize section that doesn't seem to take effect any more. Nobody gets rejected.
Code and debug log below. I know it might be staring me in the eye but has been unable to find what could be causing it.
Code: if (Called-Station-ID =~ /:SSID-Here$/) { rewrite_calling_station_id if(!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac = '%{Calling-Station-ID}' = 1}"){ reject } }
Debug log: (991) Received Access-Request Id 39 from 10.x.x.x:40001 to 10.11.0.83:1812 length 170 (991) User-Name = "Nexus7xx" (991) NAS-IP-Address = (991) NAS-Port = 0 (991) Called-Station-Id = "02-18-4A-14-82-B0:SSID-Here" (991) Calling-Station-Id = "BC-EE-7B-A3-6D-D9" (991) Framed-MTU = 1400 (991) NAS-Port-Type = Wireless-802.11 (991) Connect-Info = "CONNECT 0Mbps 802.11b" (991) EAP-Message = 0x02b800061900 (991) State = 0xc63b617ec58378d04d8f1ca50d306f26 (991) Message-Authenticator = 0x16faf8f9d4f9b38c39415aee (991) session-state: No cached attributes (991) # Executing section authorize from file /etc/freeradius/sites-enabled/default (991) authorize { (991) policy filter_username { (991) if (!&User-Name) { (991) if (!&User-Name) -> FALSE (991) if (&User-Name =~ / /) { (991) if (&User-Name =~ / /) -> FALSE (991) if (&User-Name =~ /@.*@/ ) { (991) if (&User-Name =~ /@.*@/ ) -> FALSE (991) if (&User-Name =~ /\.\./ ) { (991) if (&User-Name =~ /\.\./ ) -> FALSE (991) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (991) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (991) if (&User-Name =~ /\.$/) { (991) if (&User-Name =~ /\.$/) -> FALSE (991) if (&User-Name =~ /@\./) { (991) if (&User-Name =~ /@\./) -> FALSE (991) } # policy filter_username = notfound (991) [preprocess] = ok (991) if (Called-Station-ID =~ /:SSID-Here$/) { (991) if (Called-Station-ID =~ /:SSID-Here$/) -> TRUE (991) if (Called-Station-ID =~ /:SSID-Here$/) { (991) policy rewrite_calling_station_id { (991) if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ (991) if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE (991) if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) { (991) update request { (991) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (991) --> bc-ee-7b-a3-6d-d9 (991) Calling-Station-Id := bc-ee-7b-a3-6d-d9 (991) } # update request = noop (991) } # if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) = noop (991) ... skipping else for request 991: Preceding "if" was taken (991) } # policy rewrite_calling_station_id = noop (991) if (!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac = '%{Calling-Station-ID}' = 1}"){ rlm_sql (sql_mac): Reserved connection (13) (991) Executing select query: SELECT COUNT(*) FROM wifi.macaddress WHERE mac = 'bc-ee-7b-a3-6d-d9' = 1 rlm_sql (sql_mac): Released connection (13) (991) EXPAND %{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac = '%{Calling-Station-ID}' = 1} (991) --> 0 (991) if (!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac = '%{Calling-Station-ID}' = 1}") -> FALSE (991) } # if (Called-Station-ID =~ /:SSID-Here$/) = noop (991) [mschap] = noop (991) if (!EAP-Message) { (991) if (!EAP-Message) -> FALSE (991) eap: Peer sent EAP Response (code 2) ID 184 length 6 (991) eap: Continuing tunnel setup (991) [eap] = ok (991) } # authorize = ok