Modifying accounting request with vendor-specific attribute
Hello, I’m attempting to use unlang to modify the accounting request packets. My intent is to add the “Calling-Station-Id” attribute to the requests with the value of a vendor-specific attribute before the packet gets replicated to my home servers. I’ve created a custom policy to update the “Calling-Station-Id” attribute but I seem to be getting errors when running radius in debugging mode. I need to update that attribute with the value of a vendor-specific attribute that my NAS is sending to the radius server. I’ve been looking through the documentation and I can’t seem to find how to properly reference a vendor-specific attribute in a update policy. Please see the custom policy and debugging output below. Custom policy in /etc/raddb/policy.d/canonicalization custom_rewrite_calling_station_id { update request { Calling-Station-Id = "%{request:Vendor-Specific:client-mac-address}" } } Debug output [root@ces-vs-isp-radius3 policy.d]# radiusd -X FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/sql including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/rfc7542 including configuration file /etc/raddb/policy.d/canonicalization including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server home1.calix { ipaddr = 52.38.74.115 port = 1813 type = "acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server acct_detail.calix { virtual_server = "acct_detail.calix" port = 0 response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server server.plixer { ipaddr = 216.155.208.13 port = 1813 type = "acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } home_server_pool acct_pool.calix { type = fail-over virtual_server = home.calix home_server = home1.calix fallback = acct_detail.calix } realm rconnects.com { auth_pool = my_auth_failover acct_pool = acct_pool.calix } realm cascadeaccess.com { auth_pool = my_auth_failover acct_pool = acct_pool.calix } realm acct_realm.calix { acct_pool = acct_pool.calix } realm NULL { acct_pool = acct_pool.calix } home_server_pool acct_pool.plixer { home_server = server.plixer } realm plixer { acct_pool = acct_pool.plixer } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_sql # Loading module "sql" from file /etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" auto_escape = no accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group instantiate { } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "PROFILE=SYSTEM" cipher_server_preference = no ecdh_curve = "prime256v1" disable_tlsv1 = yes disable_tlsv1_1 = yes tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = http://127.0.0.1/ocsp/ use_nonce = yes timeout = 0 softfail = no } } Please use tls_min_version and tls_max_version instead of disable_tlsv1 Please use tls_min_version and tls_max_version instead of disable_tlsv1_2 # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /etc/raddb/mods-enabled/sql rlm_sql_mysql: libmysql version: 10.4.18 mysql { tls { tls_required = no check_cert = no check_cert_cn = no } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 216.155.208.130 () to global clients list rlm_sql (216.155.208.130): Client "" (sql) added rlm_sql (sql): Adding client 216.155.208.133 () to global clients list rlm_sql (216.155.208.133): Client "" (sql) added rlm_sql (sql): Adding client 216.155.208.136 () to global clients list rlm_sql (216.155.208.136): Client "" (sql) added rlm_sql (sql): Adding client 216.155.210.1 () to global clients list rlm_sql (216.155.210.1): Client "" (sql) added rlm_sql (sql): Adding client 216.155.208.20 () to global clients list rlm_sql (216.155.208.20): Client "" (sql) added rlm_sql (sql): Adding client 72.19.55.73 () to global clients list rlm_sql (72.19.55.73): Client "" (sql) added rlm_sql (sql): Adding client 72.19.55.53 () to global clients list rlm_sql (72.19.55.53): Client "" (sql) added rlm_sql (sql): Adding client 216.155.208.13 () to global clients list rlm_sql (216.155.208.13): Client "" (sql) added rlm_sql (sql): Adding client 66.62.61.234 () to global clients list rlm_sql (66.62.61.234): Client "" (sql) added rlm_sql (sql): Adding client 216.155.216.30 () to global clients list rlm_sql (216.155.216.30): Client "" (sql) added rlm_sql (sql): Adding client 216.155.216.31 () to global clients list rlm_sql (216.155.216.31): Client "" (sql) added rlm_sql (sql): Adding client 216.155.216.56 () to global clients list rlm_sql (216.155.216.56): Client "" (sql) added rlm_sql (sql): Adding client 100.42.173.22 () to global clients list rlm_sql (100.42.173.22): Client "" (sql) added rlm_sql (sql): Adding client 72.19.52.130 () to global clients list rlm_sql (72.19.52.130): Client "" (sql) added rlm_sql (sql): Adding client 72.19.52.131 () to global clients list rlm_sql (72.19.52.131): Client "" (sql) added rlm_sql (sql): Adding client 198.29.47.34 () to global clients list rlm_sql (198.29.47.34): Client "" (sql) added rlm_sql (sql): Adding client 140.82.244.24 () to global clients list rlm_sql (140.82.244.24): Client "" (sql) added rlm_sql (sql): Adding client 140.82.244.25 () to global clients list rlm_sql (140.82.244.25): Client "" (sql) added rlm_sql (sql): Adding client 140.82.246.41 () to global clients list rlm_sql (140.82.246.41): Client "" (sql) added rlm_sql (sql): Adding client 140.82.246.40 () to global clients list rlm_sql (140.82.246.40): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.100 () to global clients list rlm_sql (10.11.10.100): Client "" (sql) added rlm_sql (sql): Adding client 140.82.247.1 () to global clients list rlm_sql (140.82.247.1): Client "" (sql) added rlm_sql (sql): Adding client 140.82.246.37 () to global clients list rlm_sql (140.82.246.37): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.146 () to global clients list rlm_sql (10.11.10.146): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.41 () to global clients list rlm_sql (10.11.10.41): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.76 () to global clients list rlm_sql (10.11.10.76): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.77 () to global clients list rlm_sql (10.11.10.77): Client "" (sql) added rlm_sql (sql): Adding client 198.29.47.86 () to global clients list rlm_sql (198.29.47.86): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.113 () to global clients list rlm_sql (10.11.10.113): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.114 () to global clients list rlm_sql (10.11.10.114): Client "" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server home.calix { # from file /etc/raddb/proxy.conf # Loading accounting {...} # Loading post-proxy {...} } # server home.calix server acct_detail.calix { # from file /etc/raddb/proxy.conf # Loading accounting {...} } # server acct_detail.calix server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:336 } # server inner-tunnel /etc/raddb/policy.d/canonicalization[116]: Failed parsing expanded string: /etc/raddb/policy.d/canonicalization[116]: %{request:Vendor-Specific:client-mac-address} /etc/raddb/policy.d/canonicalization[116]: ^ Attribute 'Vendor-Specific' cannot have a tag
On Jan 17, 2024, at 2:54 PM, Kruz Gaffaney <GaffaneyK@rconnects.net> wrote:
Hello, I’m attempting to use unlang to modify the accounting request packets. My intent is to add the “Calling-Station-Id” attribute to the requests with the value of a vendor-specific attribute before the packet gets replicated to my home servers. I’ve created a custom policy to update the “Calling-Station-Id” attribute but I seem to be getting errors when running radius in debugging mode. I need to update that attribute with the value of a vendor-specific attribute that my NAS is sending to the radius server. I’ve been looking through the documentation and I can’t seem to find how to properly reference a vendor-specific attribute in a update policy.
Just reference it by name. The debug output shows the name.
Please see the custom policy and debugging output below.
Custom policy in /etc/raddb/policy.d/canonicalization
custom_rewrite_calling_station_id { update request { Calling-Station-Id = "%{request:Vendor-Specific:client-mac-address}"
That does not match the documentation or the examples in the configuration. If you want to copy an attribute: a) read the debug output to see the attribute name b) use that attribute name in an "update" section.
/etc/raddb/policy.d/canonicalization[116]: Failed parsing expanded string: /etc/raddb/policy.d/canonicalization[116]: %{request:Vendor-Specific:client-mac-address} /etc/raddb/policy.d/canonicalization[116]: ^ Attribute 'Vendor-Specific' cannot have a tag
That uses the wrong syntax. Instead, use something like: update request { Calling-Station-Id := &request:Cisco-AVPair } That's it. Just replace "Cisco-AVPair" with whatever attribute name shows up in debug output. Alan DeKok.
Thanks for the response Alan. I've updated the policy to be the following; custom_rewrite_calling_station_id { update request { Calling-Station-Id := &request:client-mac-address } } Although now I'm running into a new error when running radius in debug; /etc/raddb/policy.d/canonicalization[116]: Unknown attribute 'client-mac-address' If I comment out my custom policy content and run the server in debug, [root@ces-vs-isp-radius3 gaffaneyk]# radiusd -X FreeRADIUS Version 3.0.20 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/date including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/sql including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/rfc7542 including configuration file /etc/raddb/policy.d/canonicalization including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server home1.calix { ipaddr = 52.38.74.115 port = 1813 type = "acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server acct_detail.calix { virtual_server = "acct_detail.calix" port = 0 response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server server.plixer { ipaddr = 216.155.208.13 port = 1813 type = "acct" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } home_server_pool acct_pool.calix { type = fail-over virtual_server = home.calix home_server = home1.calix fallback = acct_detail.calix } realm rconnects.com { auth_pool = my_auth_failover acct_pool = acct_pool.calix } realm cascadeaccess.com { auth_pool = my_auth_failover acct_pool = acct_pool.calix } realm acct_realm.calix { acct_pool = acct_pool.calix } realm NULL { acct_pool = acct_pool.calix } home_server_pool acct_pool.plixer { home_server = server.plixer } realm plixer { acct_pool = acct_pool.plixer } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_sql # Loading module "sql" from file /etc/raddb/mods-enabled/sql sql { driver = "rlm_sql_mysql" server = "localhost" port = 3306 login = "radius" password = <<< secret >>> radius_db = "radius" read_groups = yes read_profiles = yes read_clients = yes delete_stale_sessions = yes sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" default_user_profile = "" client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" auto_escape = no accounting { reference = "%{tolower:type.%{Acct-Status-Type}.query}" type { accounting-on { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } accounting-off { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})" } start { query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')" } interim-update { query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } stop { query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'" } } } post-auth { reference = ".query" query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" } } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Creating attribute SQL-Group instantiate { } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "PROFILE=SYSTEM" cipher_server_preference = no ecdh_curve = "prime256v1" disable_tlsv1 = yes disable_tlsv1_1 = yes tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Please use tls_min_version and tls_max_version instead of disable_tlsv1 Please use tls_min_version and tls_max_version instead of disable_tlsv1_2 # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "sql" from file /etc/raddb/mods-enabled/sql rlm_sql_mysql: libmysql version: 10.4.18 mysql { tls { tls_required = no check_cert = no check_cert_cn = no } warnings = "auto" } rlm_sql (sql): Attempting to connect to database "radius" rlm_sql (sql): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 0 cleanup_interval = 30 idle_timeout = 60 retry_delay = 30 spread = no } rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserved connection (0) rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Adding client 216.155.208.130 () to global clients list rlm_sql (216.155.208.130): Client "" (sql) added rlm_sql (sql): Adding client 216.155.208.133 () to global clients list rlm_sql (216.155.208.133): Client "" (sql) added rlm_sql (sql): Adding client 216.155.208.136 () to global clients list rlm_sql (216.155.208.136): Client "" (sql) added rlm_sql (sql): Adding client 216.155.210.1 () to global clients list rlm_sql (216.155.210.1): Client "" (sql) added rlm_sql (sql): Adding client 216.155.208.20 () to global clients list rlm_sql (216.155.208.20): Client "" (sql) added rlm_sql (sql): Adding client 72.19.55.73 () to global clients list rlm_sql (72.19.55.73): Client "" (sql) added rlm_sql (sql): Adding client 72.19.55.53 () to global clients list rlm_sql (72.19.55.53): Client "" (sql) added rlm_sql (sql): Adding client 216.155.208.13 () to global clients list rlm_sql (216.155.208.13): Client "" (sql) added rlm_sql (sql): Adding client 66.62.61.234 () to global clients list rlm_sql (66.62.61.234): Client "" (sql) added rlm_sql (sql): Adding client 216.155.216.30 () to global clients list rlm_sql (216.155.216.30): Client "" (sql) added rlm_sql (sql): Adding client 216.155.216.31 () to global clients list rlm_sql (216.155.216.31): Client "" (sql) added rlm_sql (sql): Adding client 216.155.216.56 () to global clients list rlm_sql (216.155.216.56): Client "" (sql) added rlm_sql (sql): Adding client 100.42.173.22 () to global clients list rlm_sql (100.42.173.22): Client "" (sql) added rlm_sql (sql): Adding client 72.19.52.130 () to global clients list rlm_sql (72.19.52.130): Client "" (sql) added rlm_sql (sql): Adding client 72.19.52.131 () to global clients list rlm_sql (72.19.52.131): Client "" (sql) added rlm_sql (sql): Adding client 198.29.47.34 () to global clients list rlm_sql (198.29.47.34): Client "" (sql) added rlm_sql (sql): Adding client 140.82.244.24 () to global clients list rlm_sql (140.82.244.24): Client "" (sql) added rlm_sql (sql): Adding client 140.82.244.25 () to global clients list rlm_sql (140.82.244.25): Client "" (sql) added rlm_sql (sql): Adding client 140.82.246.41 () to global clients list rlm_sql (140.82.246.41): Client "" (sql) added rlm_sql (sql): Adding client 140.82.246.40 () to global clients list rlm_sql (140.82.246.40): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.100 () to global clients list rlm_sql (10.11.10.100): Client "" (sql) added rlm_sql (sql): Adding client 140.82.247.1 () to global clients list rlm_sql (140.82.247.1): Client "" (sql) added rlm_sql (sql): Adding client 140.82.246.37 () to global clients list rlm_sql (140.82.246.37): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.146 () to global clients list rlm_sql (10.11.10.146): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.41 () to global clients list rlm_sql (10.11.10.41): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.76 () to global clients list rlm_sql (10.11.10.76): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.77 () to global clients list rlm_sql (10.11.10.77): Client "" (sql) added rlm_sql (sql): Adding client 198.29.47.86 () to global clients list rlm_sql (198.29.47.86): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.113 () to global clients list rlm_sql (10.11.10.113): Client "" (sql) added rlm_sql (sql): Adding client 10.11.10.114 () to global clients list rlm_sql (10.11.10.114): Client "" (sql) added rlm_sql (sql): Released connection (0) Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server home.calix { # from file /etc/raddb/proxy.conf # Loading accounting {...} # Loading post-proxy {...} } # server home.calix server acct_detail.calix { # from file /etc/raddb/proxy.conf # Loading accounting {...} } # server acct_detail.calix server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/raddb/sites-enabled/inner-tunnel:336 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "detail" listen { filename = "/var/log/radius/radacct/calix/detail-*" load_factor = 10 poll_interval = 1 retry_interval = 30 one_shot = no track = no } } listen { type = "auth" ipaddr = * detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file port = 0 limit { max_connections = 16 lifetime = 0 detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 0.910201 sec idle_timeout = 30 } detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 0.960530 sec } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 0.795958 sec } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 0.815740 sec } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 1.105434 sec } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 1.008657 sec detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file } detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 0.884404 sec Listening on detail file /var/log/radius/radacct/calix/detail-* as server home.calix Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 34488 Listening on proxy address :: port 37962 detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 1.025112 sec Ready to process requests Receive - Invalid data from 10.11.10.62: Expected at least 4 bytes of header data, got 0 bytes Ready to process requests Receive - Invalid data from 10.11.10.62: Expected at least 4 bytes of header data, got 0 bytes Ready to process requests detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 1.052376 sec detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 0.758274 sec detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 1.237925 sec detail (/var/log/radius/radacct/calix/detail-*): Polling for detail file detail (/var/log/radius/radacct/calix/detail-*): Detail listener state unopened waiting 1.097119 sec (0) Received Accounting-Request Id 26 from 72.19.55.73:16444 to 216.155.208.69:1813 length 834 (0) Acct-Interim-Interval = 60 (0) Acct-Session-Time = 263580 (0) Acct-Status-Type = Interim-Update (0) Event-Timestamp = "Jan 17 2024 12:56:32 PST" (0) NAS-Port-Type = Wireless-XGP (0) Cisco-AVPair = "pppoe-session-id=8735" (0) Cisco-AVPair = "client-mac-address=5483.3a9a.f1d7" (0) ADSL-Agent-Circuit-Id = 0x4e31352d312d372d342d31322d45544831 (0) Cisco-AVPair = "circuit-id-tag=N15-1-7-4-12-ETH1" (0) Acct-Session-Id = "004505ab" (0) NAS-Port-Id = "0/0/10/4082" (0) Cisco-NAS-Port = "0/0/10/4082" (0) Called-Station-Id = "N15-1-7-4-12-ETH1" (0) User-Name = "54833A9AF1D7" (0) Acct-Authentic = RADIUS (0) Framed-IP-Address = 72.19.45.99 (0) Cisco-AVPair = "vrf-id=default" (0) Cisco-AVPair = "accounting-list=AAA-GROUP-BNG-RADIUS-SERVERS" (0) Cisco-AVPair = "srg-group-id=10" (0) Framed-Protocol = PPP (0) Service-Type = Framed-User (0) X-Ascend-Connect-Progress = IPNCP-Opened (0) Cisco-AVPair = "connect-progress=IPCP Open" (0) Acct-Input-Octets = 45951093 (0) Acct-Input-Gigawords = 1 (0) Acct-Input-Packets = 40946081 (0) Acct-Output-Octets = 1309917227 (0) Acct-Output-Gigawords = 29 (0) Acct-Output-Packets = 87033515 (0) Cisco-AVPair = "acct-input-octets-ipv4=3274754357" (0) Cisco-AVPair = "acct-input-packets-ipv4=40908153" (0) Cisco-AVPair = "acct-output-octets-ipv4=3323147796" (0) Cisco-AVPair = "acct-output-gigawords-ipv4=28" (0) Cisco-AVPair = "acct-output-packets-ipv4=86990694" (0) Cisco-AVPair = "acct-input-octets-ipv6=0" (0) Cisco-AVPair = "acct-input-packets-ipv6=0" (0) Cisco-AVPair = "acct-output-octets-ipv6=0" (0) Cisco-AVPair = "acct-output-packets-ipv6=0" (0) NAS-Identifier = "ASR9006A-EST" (0) NAS-IP-Address = 72.19.55.73 (0) NAS-IPv6-Address = :: (0) Acct-Delay-Time = 44 (0) # Executing section preacct from file /etc/raddb/sites-enabled/default (0) preacct { (0) preprocess: EXPAND ([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2}) (0) preprocess: --> ([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2}) (0) [preprocess] = ok (0) custom_rewrite_calling_station_id { ... } # empty sub-section is ignored (0) policy acct_unique { (0) update request { (0) &Tmp-String-9 := "ai:" (0) } # update request = noop (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (0) EXPAND %{hex:&Class} (0) --> (0) EXPAND ^%{hex:&Tmp-String-9} (0) --> ^61693a (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (0) else { (0) update request { (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (0) --> c4734842257e3effe059205d66e2b67f (0) &Acct-Unique-Session-Id := c4734842257e3effe059205d66e2b67f (0) } # update request = noop (0) } # else = noop (0) } # policy acct_unique = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "54833A9AF1D7", looking up realm NULL (0) suffix: Found realm "NULL" (0) suffix: Adding Stripped-User-Name = "54833A9AF1D7" (0) suffix: Adding Realm = "NULL" (0) suffix: Proxying request from user 54833A9AF1D7 to realm NULL (0) suffix: Preparing to proxy accounting request to realm "NULL" (0) [suffix] = updated (0) [files] = noop (0) update { (0) control:Replicate-To-Realm := plixer (0) } # update = noop (0) replicate: Replicating list 'request' to Realm 'plixer' (0) [replicate] = ok (0) } # preacct = updated (0) # Executing section accounting from file /etc/raddb/sites-enabled/default (0) accounting { (0) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (0) detail: --> /var/log/radius/radacct/72.19.55.73/detail-20240117 (0) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/72.19.55.73/detail-20240117 (0) detail: EXPAND %t (0) detail: --> Wed Jan 17 12:57:17 2024 (0) [detail] = ok (0) [unix] = noop (0) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (0) sql: --> type.interim-update.query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (0) sql: --> 54833A9AF1D7 (0) sql: SQL-User-Name set to '54833A9AF1D7' (0) sql: EXPAND UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' (0) sql: --> UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1705524992), acctinterval = 1705524992 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '72.19.45.99', acctsessiontime = 263580, acctinputoctets = '1' << 32 | '45951093', acctoutputoctets = '29' << 32 | '1309917227' WHERE AcctUniqueId = 'c4734842257e3effe059205d66e2b67f' (0) sql: Executing query: UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1705524992), acctinterval = 1705524992 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '72.19.45.99', acctsessiontime = 263580, acctinputoctets = '1' << 32 | '45951093', acctoutputoctets = '29' << 32 | '1309917227' WHERE AcctUniqueId = 'c4734842257e3effe059205d66e2b67f' rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0 (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 (0) [sql] = ok (0) [exec] = noop (0) attr_filter.accounting_response: EXPAND %{User-Name} (0) attr_filter.accounting_response: --> 54833A9AF1D7 (0) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (0) [attr_filter.accounting_response] = updated (0) } # accounting = updated (0) Starting proxy to home server 52.38.74.115 port 1813 (0) server home.calix { (0) } (0) Proxying request to home server 52.38.74.115 port 1813 timeout 30.000000 (0) Sent Accounting-Request Id 140 from 0.0.0.0:34488 to 52.38.74.115:1813 length 838 (0) Acct-Interim-Interval = 60 (0) Acct-Session-Time = 263580 (0) Acct-Status-Type = Interim-Update (0) Event-Timestamp = "Jan 17 2024 12:56:32 PST" (0) NAS-Port-Type = Wireless-XGP (0) Cisco-AVPair = "pppoe-session-id=8735" (0) Cisco-AVPair = "client-mac-address=5483.3a9a.f1d7" (0) ADSL-Agent-Circuit-Id = 0x4e31352d312d372d342d31322d45544831 (0) Cisco-AVPair = "circuit-id-tag=N15-1-7-4-12-ETH1" (0) Acct-Session-Id = "004505ab" (0) NAS-Port-Id = "0/0/10/4082" (0) Cisco-NAS-Port = "0/0/10/4082" (0) Called-Station-Id = "N15-1-7-4-12-ETH1" (0) User-Name = "54833A9AF1D7" (0) Acct-Authentic = RADIUS (0) Framed-IP-Address = 72.19.45.99 (0) Cisco-AVPair = "vrf-id=default" (0) Cisco-AVPair = "accounting-list=AAA-GROUP-BNG-RADIUS-SERVERS" (0) Cisco-AVPair = "srg-group-id=10" (0) Framed-Protocol = PPP (0) Service-Type = Framed-User (0) X-Ascend-Connect-Progress = IPNCP-Opened (0) Cisco-AVPair = "connect-progress=IPCP Open" (0) Acct-Input-Octets = 45951093 (0) Acct-Input-Gigawords = 1 (0) Acct-Input-Packets = 40946081 (0) Acct-Output-Octets = 1309917227 (0) Acct-Output-Gigawords = 29 (0) Acct-Output-Packets = 87033515 (0) Cisco-AVPair = "acct-input-octets-ipv4=3274754357" (0) Cisco-AVPair = "acct-input-packets-ipv4=40908153" (0) Cisco-AVPair = "acct-output-octets-ipv4=3323147796" (0) Cisco-AVPair = "acct-output-gigawords-ipv4=28" (0) Cisco-AVPair = "acct-output-packets-ipv4=86990694" (0) Cisco-AVPair = "acct-input-octets-ipv6=0" (0) Cisco-AVPair = "acct-input-packets-ipv6=0" (0) Cisco-AVPair = "acct-output-octets-ipv6=0" (0) Cisco-AVPair = "acct-output-packets-ipv6=0" (0) NAS-Identifier = "ASR9006A-EST" (0) NAS-IP-Address = 72.19.55.73 (0) NAS-IPv6-Address = :: (0) Acct-Delay-Time = 44 (0) Proxy-State = 0x3236 Waking up in 0.2 seconds. I'm trying to get the following attribute to be copied to the calling-station-id, "Cisco-AVPair = "client-mac-address=4cc5.3e94.8aa7"", specifically just the mac address. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+gaffaneyk=rconnects.net@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Wednesday, January 17, 2024 12:25 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Modifying accounting request with vendor-specific attribute On Jan 17, 2024, at 2:54 PM, Kruz Gaffaney <GaffaneyK@rconnects.net> wrote:
Hello, I’m attempting to use unlang to modify the accounting request packets. My intent is to add the “Calling-Station-Id” attribute to the requests with the value of a vendor-specific attribute before the packet gets replicated to my home servers. I’ve created a custom policy to update the “Calling-Station-Id” attribute but I seem to be getting errors when running radius in debugging mode. I need to update that attribute with the value of a vendor-specific attribute that my NAS is sending to the radius server. I’ve been looking through the documentation and I can’t seem to find how to properly reference a vendor-specific attribute in a update policy.
Just reference it by name. The debug output shows the name.
Please see the custom policy and debugging output below.
Custom policy in /etc/raddb/policy.d/canonicalization
custom_rewrite_calling_station_id { update request { Calling-Station-Id = "%{request:Vendor-Specific:client-mac-address}"
That does not match the documentation or the examples in the configuration. If you want to copy an attribute: a) read the debug output to see the attribute name b) use that attribute name in an "update" section.
/etc/raddb/policy.d/canonicalization[116]: Failed parsing expanded string: /etc/raddb/policy.d/canonicalization[116]: %{request:Vendor-Specific:client-mac-address} /etc/raddb/policy.d/canonicalization[116]: ^ Attribute 'Vendor-Specific' cannot have a tag
That uses the wrong syntax. Instead, use something like: update request { Calling-Station-Id := &request:Cisco-AVPair } That's it. Just replace "Cisco-AVPair" with whatever attribute name shows up in debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---------- This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam: https://us2.proofpointessentials.com/app/report_spam.php?mod_id=11&mod_optio...
On Jan 17, 2024, at 4:11 PM, Kruz Gaffaney <GaffaneyK@rconnects.net> wrote:
I've updated the policy to be the following;
custom_rewrite_calling_station_id { update request { Calling-Station-Id := &request:client-mac-address } }
Although now I'm running into a new error when running radius in debug;
/etc/raddb/policy.d/canonicalization[116]: Unknown attribute 'client-mac-address'
i.e. you didn't see that attribute name show up in the debug output, but you put it into the "update" section anyways. It helps to follow instructions correctly. It's also good to be familiar with how RADIUS works, and what it does. i.e. what is an "attribute", versus the value for an attribute. When the server prints: User-Name = "foo" The "User-Name" string is the attribute name The "foo" string is the value of the User-Name attribute.
... (0) Received Accounting-Request Id 26 from 72.19.55.73:16444 to 216.155.208.69:1813 length 834
This packet lists a bunch of attributes. Which one needs to go into Calling-Station-ID? Let's read the debug output.
(0) Cisco-AVPair = "client-mac-address=5483.3a9a.f1d7"
That seems relevant. Except the attribute name isn't "client-mac-address", it's Cisco-AVPair. This can be discovered by reading the debug output, and seeing what's there. So the problem statement is really: a) find the Cisco-AVPair attribute b) where the value contains client-mac-address c) take text after the "=", and then d) copy it to Calling-Station-Id. A methodical approach is likely to fix issues like this. Trying random things, or inventing syntax is not likely to help. What you want do is to use a regular expression: if (Cisco-AVPair =~ /client-mac-address=(.*)/) { update request { Calling-Station-Id = "%{1}" } } That's going to work. Alan DeKok.
Hi Alan, thanks for your patience. Using regex makes a lot of sense. I removed my custom policy and replaced it with what you sent over, I double checked it with a regex tester online and looks like it matches correctly, though I'm see a new issue with the debug saying the condition is false. Canonicalization file: [root@ces-vs-isp-radius3 policy.d]# cat canonicalization # # Split User-Name in NAI format (RFC 4282) into components # # This policy writes the Username and Domain portions of the # NAI into the Stripped-User-Name and Stripped-User-Domain # attributes. # # The regular expression to do this is not strictly compliant # with the standard, but it is not possible to write a # compliant regexp without perl style regular expressions (or # at least not a legible one). # nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$' split_username_nai { if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { update request { &Stripped-User-Name := "%{1}" } # Only add the Stripped-User-Domain attribute if # we have a domain. This means presence checks # for Stripped-User-Domain work. if ("%{3}" != '') { update request { &Stripped-User-Domain = "%{3}" } } # If any of the expansions result in a null # string, the update section may return # something other than updated... updated } else { noop } } # # If called in post-proxy we modify the proxy-reply message # split_username_nai.post-proxy { if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) { update proxy-reply { &Stripped-User-Name := "%{1}" } # Only add the Stripped-User-Domain attribute if # we have a domain. This means presence checks # for Stripped-User-Domain work. if ("%{3}" != '') { update proxy-reply { &Stripped-User-Domain = "%{3}" } } updated } else { noop } } # # Normalize the MAC Addresses in the Calling/Called-Station-Id # mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})' # # Add "rewrite_called_station_id" in the "authorize" and # "preacct" sections. # # Makes Called-Station-ID conform to what RFC3580 says should # be provided by 802.1X authenticators. # rewrite_called_station_id { if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { update request { &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } # SSID component? if ("%{8}") { update request { &Called-Station-SSID := "%{8}" } } updated } else { noop } } # # Add "rewrite_calling_station_id" in the "authorize" and # "preacct" sections. # # Makes Calling-Station-ID conform to what RFC3580 says should # be provided by 802.1X authenticators. # rewrite_calling_station_id { if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { update request { &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } updated } else { noop } } custom_rewrite_calling_station_id { if (Cisco-AVPair =~ /client-mac-address=(.*)/) { update request { Calling-Station-Id = "%{1}" } } } Debug: (0) Received Accounting-Request Id 185 from 72.19.55.73:61651 to 216.155.208.69:1813 length 802 (0) Acct-Interim-Interval = 60 (0) Acct-Session-Time = 163500 (0) Acct-Status-Type = Interim-Update (0) Event-Timestamp = "Jan 17 2024 14:51:11 PST" (0) NAS-Port-Type = Wireless-XGP (0) Cisco-AVPair = "pppoe-session-id=17305" (0) Cisco-AVPair = "client-mac-address=d8b6.b7e8.b2ee" (0) ADSL-Agent-Circuit-Id = 0x4e33362d312d352d38 (0) Cisco-AVPair = "circuit-id-tag=N36-1-5-8" (0) Acct-Session-Id = "0046013c" (0) NAS-Port-Id = "0/0/10/3111" (0) Cisco-NAS-Port = "0/0/10/3111" (0) Called-Station-Id = "N36-1-5-8" (0) User-Name = "modem905496" (0) Acct-Authentic = RADIUS (0) Framed-IP-Address = 216.155.211.154 (0) Cisco-AVPair = "vrf-id=default" (0) Cisco-AVPair = "accounting-list=AAA-GROUP-BNG-RADIUS-SERVERS" (0) Cisco-AVPair = "srg-group-id=10" (0) Framed-Protocol = PPP (0) Service-Type = Framed-User (0) X-Ascend-Connect-Progress = IPNCP-Opened (0) Cisco-AVPair = "connect-progress=IPCP Open" (0) Acct-Input-Octets = 1842870865 (0) Acct-Input-Packets = 14378033 (0) Acct-Output-Octets = 791579294 (0) Acct-Output-Gigawords = 8 (0) Acct-Output-Packets = 25259638 (0) Cisco-AVPair = "acct-input-octets-ipv4=1468938988" (0) Cisco-AVPair = "acct-input-packets-ipv4=14375306" (0) Cisco-AVPair = "acct-output-octets-ipv4=134738370" (0) Cisco-AVPair = "acct-output-gigawords-ipv4=8" (0) Cisco-AVPair = "acct-output-packets-ipv4=25256876" (0) Cisco-AVPair = "acct-input-octets-ipv6=0" (0) Cisco-AVPair = "acct-input-packets-ipv6=0" (0) Cisco-AVPair = "acct-output-octets-ipv6=0" (0) Cisco-AVPair = "acct-output-packets-ipv6=0" (0) NAS-Identifier = "ASR9006A-EST" (0) NAS-IP-Address = 72.19.55.73 (0) NAS-IPv6-Address = :: (0) Acct-Delay-Time = 44 (0) # Executing section preacct from file /etc/raddb/sites-enabled/default (0) preacct { (0) preprocess: EXPAND ([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2}) (0) preprocess: --> ([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2}) (0) [preprocess] = ok (0) policy custom_rewrite_calling_station_id { (0) if (Cisco-AVPair =~ /client-mac-address=(.*)/) { (0) if (Cisco-AVPair =~ /client-mac-address=(.*)/) -> FALSE (0) } # policy custom_rewrite_calling_station_id = ok (0) policy acct_unique { (0) update request { (0) &Tmp-String-9 := "ai:" (0) } # update request = noop (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (0) EXPAND %{hex:&Class} (0) --> (0) EXPAND ^%{hex:&Tmp-String-9} (0) --> ^61693a (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (0) else { (0) update request { (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (0) --> 6d3022986abcd942249c2c0c95f42ffa (0) &Acct-Unique-Session-Id := 6d3022986abcd942249c2c0c95f42ffa (0) } # update request = noop (0) } # else = noop (0) } # policy acct_unique = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "modem905496", looking up realm NULL (0) suffix: Found realm "NULL" (0) suffix: Adding Stripped-User-Name = "modem905496" (0) suffix: Adding Realm = "NULL" (0) suffix: Proxying request from user modem905496 to realm NULL (0) suffix: Preparing to proxy accounting request to realm "NULL" (0) [suffix] = updated (0) [files] = noop (0) update { (0) control:Replicate-To-Realm := plixer (0) } # update = noop (0) replicate: Replicating list 'request' to Realm 'plixer' (0) [replicate] = ok (0) } # preacct = updated (0) # Executing section accounting from file /etc/raddb/sites-enabled/default (0) accounting { (0) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (0) detail: --> /var/log/radius/radacct/72.19.55.73/detail-20240117 (0) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/72.19.55.73/detail-20240117 (0) detail: EXPAND %t (0) detail: --> Wed Jan 17 14:51:56 2024 (0) [detail] = ok (0) [unix] = noop (0) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (0) sql: --> type.interim-update.query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (0) sql: --> modem905496 (0) sql: SQL-User-Name set to 'modem905496' (0) sql: EXPAND UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' (0) sql: --> UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1705531871), acctinterval = 1705531871 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '216.155.211.154', acctsessiontime = 163500, acctinputoctets = '0' << 32 | '1842870865', acctoutputoctets = '8' << 32 | '791579294' WHERE AcctUniqueId = '6d3022986abcd942249c2c0c95f42ffa' (0) sql: Executing query: UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1705531871), acctinterval = 1705531871 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '216.155.211.154', acctsessiontime = 163500, acctinputoctets = '0' << 32 | '1842870865', acctoutputoctets = '8' << 32 | '791579294' WHERE AcctUniqueId = '6d3022986abcd942249c2c0c95f42ffa' rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0 (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 (0) [sql] = ok (0) [exec] = noop (0) attr_filter.accounting_response: EXPAND %{User-Name} (0) attr_filter.accounting_response: --> modem905496 (0) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (0) [attr_filter.accounting_response] = updated (0) } # accounting = updated (0) Starting proxy to home server 52.38.74.115 port 1813 (0) server home.calix { (0) } (0) Proxying request to home server 52.38.74.115 port 1813 timeout 30.000000 (0) Sent Accounting-Request Id 68 from 0.0.0.0:60398 to 52.38.74.115:1813 length 807 (0) Acct-Interim-Interval = 60 (0) Acct-Session-Time = 163500 (0) Acct-Status-Type = Interim-Update (0) Event-Timestamp = "Jan 17 2024 14:51:11 PST" (0) NAS-Port-Type = Wireless-XGP (0) Cisco-AVPair = "pppoe-session-id=17305" (0) Cisco-AVPair = "client-mac-address=d8b6.b7e8.b2ee" (0) ADSL-Agent-Circuit-Id = 0x4e33362d312d352d38 (0) Cisco-AVPair = "circuit-id-tag=N36-1-5-8" (0) Acct-Session-Id = "0046013c" (0) NAS-Port-Id = "0/0/10/3111" (0) Cisco-NAS-Port = "0/0/10/3111" (0) Called-Station-Id = "N36-1-5-8" (0) User-Name = "modem905496" (0) Acct-Authentic = RADIUS (0) Framed-IP-Address = 216.155.211.154 (0) Cisco-AVPair = "vrf-id=default" (0) Cisco-AVPair = "accounting-list=AAA-GROUP-BNG-RADIUS-SERVERS" (0) Cisco-AVPair = "srg-group-id=10" (0) Framed-Protocol = PPP (0) Service-Type = Framed-User (0) X-Ascend-Connect-Progress = IPNCP-Opened (0) Cisco-AVPair = "connect-progress=IPCP Open" (0) Acct-Input-Octets = 1842870865 (0) Acct-Input-Packets = 14378033 (0) Acct-Output-Octets = 791579294 (0) Acct-Output-Gigawords = 8 (0) Acct-Output-Packets = 25259638 (0) Cisco-AVPair = "acct-input-octets-ipv4=1468938988" (0) Cisco-AVPair = "acct-input-packets-ipv4=14375306" (0) Cisco-AVPair = "acct-output-octets-ipv4=134738370" (0) Cisco-AVPair = "acct-output-gigawords-ipv4=8" (0) Cisco-AVPair = "acct-output-packets-ipv4=25256876" (0) Cisco-AVPair = "acct-input-octets-ipv6=0" (0) Cisco-AVPair = "acct-input-packets-ipv6=0" (0) Cisco-AVPair = "acct-output-octets-ipv6=0" (0) Cisco-AVPair = "acct-output-packets-ipv6=0" (0) NAS-Identifier = "ASR9006A-EST" (0) NAS-IP-Address = 72.19.55.73 (0) NAS-IPv6-Address = :: (0) Acct-Delay-Time = 44 (0) Proxy-State = 0x313835 Waking up in 0.2 seconds. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+gaffaneyk=rconnects.net@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Wednesday, January 17, 2024 1:24 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Modifying accounting request with vendor-specific attribute On Jan 17, 2024, at 4:11 PM, Kruz Gaffaney <GaffaneyK@rconnects.net> wrote:
I've updated the policy to be the following;
custom_rewrite_calling_station_id { update request { Calling-Station-Id := &request:client-mac-address } }
Although now I'm running into a new error when running radius in debug;
/etc/raddb/policy.d/canonicalization[116]: Unknown attribute 'client-mac-address'
i.e. you didn't see that attribute name show up in the debug output, but you put it into the "update" section anyways. It helps to follow instructions correctly. It's also good to be familiar with how RADIUS works, and what it does. i.e. what is an "attribute", versus the value for an attribute. When the server prints: User-Name = "foo" The "User-Name" string is the attribute name The "foo" string is the value of the User-Name attribute.
... (0) Received Accounting-Request Id 26 from 72.19.55.73:16444 to 216.155.208.69:1813 length 834
This packet lists a bunch of attributes. Which one needs to go into Calling-Station-ID? Let's read the debug output.
(0) Cisco-AVPair = "client-mac-address=5483.3a9a.f1d7"
That seems relevant. Except the attribute name isn't "client-mac-address", it's Cisco-AVPair. This can be discovered by reading the debug output, and seeing what's there. So the problem statement is really: a) find the Cisco-AVPair attribute b) where the value contains client-mac-address c) take text after the "=", and then d) copy it to Calling-Station-Id. A methodical approach is likely to fix issues like this. Trying random things, or inventing syntax is not likely to help. What you want do is to use a regular expression: if (Cisco-AVPair =~ /client-mac-address=(.*)/) { update request { Calling-Station-Id = "%{1}" } } That's going to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---------- This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam: https://us2.proofpointessentials.com/app/report_spam.php?mod_id=11&mod_optio...
Got it working, I did some reading through man unlang and adjusted the reference; custom_rewrite_calling_station_id { if (&Cisco-AVPair[*] =~ /client-mac-address=(.*)/) { update request { Calling-Station-Id = "%{1}" } } } This worked! Thanks for your help. -----Original Message----- From: Kruz Gaffaney Sent: Wednesday, January 17, 2024 3:07 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: Modifying accounting request with vendor-specific attribute Hi Alan, thanks for your patience. Using regex makes a lot of sense. I removed my custom policy and replaced it with what you sent over, I double checked it with a regex tester online and looks like it matches correctly, though I'm see a new issue with the debug saying the condition is false. Canonicalization file: [root@ces-vs-isp-radius3 policy.d]# cat canonicalization # # Split User-Name in NAI format (RFC 4282) into components # # This policy writes the Username and Domain portions of the # NAI into the Stripped-User-Name and Stripped-User-Domain # attributes. # # The regular expression to do this is not strictly compliant # with the standard, but it is not possible to write a # compliant regexp without perl style regular expressions (or # at least not a legible one). # nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$' split_username_nai { if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { update request { &Stripped-User-Name := "%{1}" } # Only add the Stripped-User-Domain attribute if # we have a domain. This means presence checks # for Stripped-User-Domain work. if ("%{3}" != '') { update request { &Stripped-User-Domain = "%{3}" } } # If any of the expansions result in a null # string, the update section may return # something other than updated... updated } else { noop } } # # If called in post-proxy we modify the proxy-reply message # split_username_nai.post-proxy { if (&proxy-reply:User-Name && (&proxy-reply:User-Name =~ /${policy.nai_regexp}/)) { update proxy-reply { &Stripped-User-Name := "%{1}" } # Only add the Stripped-User-Domain attribute if # we have a domain. This means presence checks # for Stripped-User-Domain work. if ("%{3}" != '') { update proxy-reply { &Stripped-User-Domain = "%{3}" } } updated } else { noop } } # # Normalize the MAC Addresses in the Calling/Called-Station-Id # mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})' # # Add "rewrite_called_station_id" in the "authorize" and # "preacct" sections. # # Makes Called-Station-ID conform to what RFC3580 says should # be provided by 802.1X authenticators. # rewrite_called_station_id { if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { update request { &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } # SSID component? if ("%{8}") { update request { &Called-Station-SSID := "%{8}" } } updated } else { noop } } # # Add "rewrite_calling_station_id" in the "authorize" and # "preacct" sections. # # Makes Calling-Station-ID conform to what RFC3580 says should # be provided by 802.1X authenticators. # rewrite_calling_station_id { if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { update request { &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } updated } else { noop } } custom_rewrite_calling_station_id { if (Cisco-AVPair =~ /client-mac-address=(.*)/) { update request { Calling-Station-Id = "%{1}" } } } Debug: (0) Received Accounting-Request Id 185 from 72.19.55.73:61651 to 216.155.208.69:1813 length 802 (0) Acct-Interim-Interval = 60 (0) Acct-Session-Time = 163500 (0) Acct-Status-Type = Interim-Update (0) Event-Timestamp = "Jan 17 2024 14:51:11 PST" (0) NAS-Port-Type = Wireless-XGP (0) Cisco-AVPair = "pppoe-session-id=17305" (0) Cisco-AVPair = "client-mac-address=d8b6.b7e8.b2ee" (0) ADSL-Agent-Circuit-Id = 0x4e33362d312d352d38 (0) Cisco-AVPair = "circuit-id-tag=N36-1-5-8" (0) Acct-Session-Id = "0046013c" (0) NAS-Port-Id = "0/0/10/3111" (0) Cisco-NAS-Port = "0/0/10/3111" (0) Called-Station-Id = "N36-1-5-8" (0) User-Name = "modem905496" (0) Acct-Authentic = RADIUS (0) Framed-IP-Address = 216.155.211.154 (0) Cisco-AVPair = "vrf-id=default" (0) Cisco-AVPair = "accounting-list=AAA-GROUP-BNG-RADIUS-SERVERS" (0) Cisco-AVPair = "srg-group-id=10" (0) Framed-Protocol = PPP (0) Service-Type = Framed-User (0) X-Ascend-Connect-Progress = IPNCP-Opened (0) Cisco-AVPair = "connect-progress=IPCP Open" (0) Acct-Input-Octets = 1842870865 (0) Acct-Input-Packets = 14378033 (0) Acct-Output-Octets = 791579294 (0) Acct-Output-Gigawords = 8 (0) Acct-Output-Packets = 25259638 (0) Cisco-AVPair = "acct-input-octets-ipv4=1468938988" (0) Cisco-AVPair = "acct-input-packets-ipv4=14375306" (0) Cisco-AVPair = "acct-output-octets-ipv4=134738370" (0) Cisco-AVPair = "acct-output-gigawords-ipv4=8" (0) Cisco-AVPair = "acct-output-packets-ipv4=25256876" (0) Cisco-AVPair = "acct-input-octets-ipv6=0" (0) Cisco-AVPair = "acct-input-packets-ipv6=0" (0) Cisco-AVPair = "acct-output-octets-ipv6=0" (0) Cisco-AVPair = "acct-output-packets-ipv6=0" (0) NAS-Identifier = "ASR9006A-EST" (0) NAS-IP-Address = 72.19.55.73 (0) NAS-IPv6-Address = :: (0) Acct-Delay-Time = 44 (0) # Executing section preacct from file /etc/raddb/sites-enabled/default (0) preacct { (0) preprocess: EXPAND ([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2}) (0) preprocess: --> ([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2}) (0) [preprocess] = ok (0) policy custom_rewrite_calling_station_id { (0) if (Cisco-AVPair =~ /client-mac-address=(.*)/) { (0) if (Cisco-AVPair =~ /client-mac-address=(.*)/) -> FALSE (0) } # policy custom_rewrite_calling_station_id = ok (0) policy acct_unique { (0) update request { (0) &Tmp-String-9 := "ai:" (0) } # update request = noop (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (0) EXPAND %{hex:&Class} (0) --> (0) EXPAND ^%{hex:&Tmp-String-9} (0) --> ^61693a (0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (0) else { (0) update request { (0) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (0) --> 6d3022986abcd942249c2c0c95f42ffa (0) &Acct-Unique-Session-Id := 6d3022986abcd942249c2c0c95f42ffa (0) } # update request = noop (0) } # else = noop (0) } # policy acct_unique = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "modem905496", looking up realm NULL (0) suffix: Found realm "NULL" (0) suffix: Adding Stripped-User-Name = "modem905496" (0) suffix: Adding Realm = "NULL" (0) suffix: Proxying request from user modem905496 to realm NULL (0) suffix: Preparing to proxy accounting request to realm "NULL" (0) [suffix] = updated (0) [files] = noop (0) update { (0) control:Replicate-To-Realm := plixer (0) } # update = noop (0) replicate: Replicating list 'request' to Realm 'plixer' (0) [replicate] = ok (0) } # preacct = updated (0) # Executing section accounting from file /etc/raddb/sites-enabled/default (0) accounting { (0) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (0) detail: --> /var/log/radius/radacct/72.19.55.73/detail-20240117 (0) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/72.19.55.73/detail-20240117 (0) detail: EXPAND %t (0) detail: --> Wed Jan 17 14:51:56 2024 (0) [detail] = ok (0) [unix] = noop (0) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query} (0) sql: --> type.interim-update.query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (0) sql: --> modem905496 (0) sql: SQL-User-Name set to 'modem905496' (0) sql: EXPAND UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' (0) sql: --> UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1705531871), acctinterval = 1705531871 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '216.155.211.154', acctsessiontime = 163500, acctinputoctets = '0' << 32 | '1842870865', acctoutputoctets = '8' << 32 | '791579294' WHERE AcctUniqueId = '6d3022986abcd942249c2c0c95f42ffa' (0) sql: Executing query: UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = FROM_UNIXTIME(1705531871), acctinterval = 1705531871 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '216.155.211.154', acctsessiontime = 163500, acctinputoctets = '0' << 32 | '1842870865', acctoutputoctets = '8' << 32 | '791579294' WHERE AcctUniqueId = '6d3022986abcd942249c2c0c95f42ffa' rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0 (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.4.18-MariaDB, protocol version 10 (0) [sql] = ok (0) [exec] = noop (0) attr_filter.accounting_response: EXPAND %{User-Name} (0) attr_filter.accounting_response: --> modem905496 (0) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (0) [attr_filter.accounting_response] = updated (0) } # accounting = updated (0) Starting proxy to home server 52.38.74.115 port 1813 (0) server home.calix { (0) } (0) Proxying request to home server 52.38.74.115 port 1813 timeout 30.000000 (0) Sent Accounting-Request Id 68 from 0.0.0.0:60398 to 52.38.74.115:1813 length 807 (0) Acct-Interim-Interval = 60 (0) Acct-Session-Time = 163500 (0) Acct-Status-Type = Interim-Update (0) Event-Timestamp = "Jan 17 2024 14:51:11 PST" (0) NAS-Port-Type = Wireless-XGP (0) Cisco-AVPair = "pppoe-session-id=17305" (0) Cisco-AVPair = "client-mac-address=d8b6.b7e8.b2ee" (0) ADSL-Agent-Circuit-Id = 0x4e33362d312d352d38 (0) Cisco-AVPair = "circuit-id-tag=N36-1-5-8" (0) Acct-Session-Id = "0046013c" (0) NAS-Port-Id = "0/0/10/3111" (0) Cisco-NAS-Port = "0/0/10/3111" (0) Called-Station-Id = "N36-1-5-8" (0) User-Name = "modem905496" (0) Acct-Authentic = RADIUS (0) Framed-IP-Address = 216.155.211.154 (0) Cisco-AVPair = "vrf-id=default" (0) Cisco-AVPair = "accounting-list=AAA-GROUP-BNG-RADIUS-SERVERS" (0) Cisco-AVPair = "srg-group-id=10" (0) Framed-Protocol = PPP (0) Service-Type = Framed-User (0) X-Ascend-Connect-Progress = IPNCP-Opened (0) Cisco-AVPair = "connect-progress=IPCP Open" (0) Acct-Input-Octets = 1842870865 (0) Acct-Input-Packets = 14378033 (0) Acct-Output-Octets = 791579294 (0) Acct-Output-Gigawords = 8 (0) Acct-Output-Packets = 25259638 (0) Cisco-AVPair = "acct-input-octets-ipv4=1468938988" (0) Cisco-AVPair = "acct-input-packets-ipv4=14375306" (0) Cisco-AVPair = "acct-output-octets-ipv4=134738370" (0) Cisco-AVPair = "acct-output-gigawords-ipv4=8" (0) Cisco-AVPair = "acct-output-packets-ipv4=25256876" (0) Cisco-AVPair = "acct-input-octets-ipv6=0" (0) Cisco-AVPair = "acct-input-packets-ipv6=0" (0) Cisco-AVPair = "acct-output-octets-ipv6=0" (0) Cisco-AVPair = "acct-output-packets-ipv6=0" (0) NAS-Identifier = "ASR9006A-EST" (0) NAS-IP-Address = 72.19.55.73 (0) NAS-IPv6-Address = :: (0) Acct-Delay-Time = 44 (0) Proxy-State = 0x313835 Waking up in 0.2 seconds. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+gaffaneyk=rconnects.net@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Wednesday, January 17, 2024 1:24 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Modifying accounting request with vendor-specific attribute On Jan 17, 2024, at 4:11 PM, Kruz Gaffaney <GaffaneyK@rconnects.net> wrote:
I've updated the policy to be the following;
custom_rewrite_calling_station_id { update request { Calling-Station-Id := &request:client-mac-address } }
Although now I'm running into a new error when running radius in debug;
/etc/raddb/policy.d/canonicalization[116]: Unknown attribute 'client-mac-address'
i.e. you didn't see that attribute name show up in the debug output, but you put it into the "update" section anyways. It helps to follow instructions correctly. It's also good to be familiar with how RADIUS works, and what it does. i.e. what is an "attribute", versus the value for an attribute. When the server prints: User-Name = "foo" The "User-Name" string is the attribute name The "foo" string is the value of the User-Name attribute.
... (0) Received Accounting-Request Id 26 from 72.19.55.73:16444 to 216.155.208.69:1813 length 834
This packet lists a bunch of attributes. Which one needs to go into Calling-Station-ID? Let's read the debug output.
(0) Cisco-AVPair = "client-mac-address=5483.3a9a.f1d7"
That seems relevant. Except the attribute name isn't "client-mac-address", it's Cisco-AVPair. This can be discovered by reading the debug output, and seeing what's there. So the problem statement is really: a) find the Cisco-AVPair attribute b) where the value contains client-mac-address c) take text after the "=", and then d) copy it to Calling-Station-Id. A methodical approach is likely to fix issues like this. Trying random things, or inventing syntax is not likely to help. What you want do is to use a regular expression: if (Cisco-AVPair =~ /client-mac-address=(.*)/) { update request { Calling-Station-Id = "%{1}" } } That's going to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ---------- This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam: https://us2.proofpointessentials.com/app/report_spam.php?mod_id=11&mod_optio...
participants (2)
-
Alan DeKok -
Kruz Gaffaney