Stripping the calling station id
Hello, Could someone help me to strip the calling station id recieved in the request to use it later for the checkval module. I am applying the mac authentication using checkval but the problem is that I am recieving a long calling station id containing the mac address. this is an exemple of the calling station id recieved : lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# its always in this format and I only want to extract the mac address from it. I dont know if it can be achieved using unlang or anything else.
On Jun 22, 2018, at 7:27 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
Could someone help me to strip the calling station id recieved in the request to use it later for the checkval module.
I am applying the mac authentication using checkval but the problem is that I am recieving a long calling station id containing the mac address.
this is an exemple of the calling station id recieved : lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b#
That's not normally the recommended form. But NAS vendors are inventive. <sigh> The NAS-Port-ID attribute should really be used for that kind of information.
its always in this format and I only want to extract the mac address from it. I dont know if it can be achieved using unlang or anything else.
Use a regular expression: update request { NAS-Port-Id += &Calling-Station-ID } if (Calling-Station-Id =~ /pppoe ([^#]+#/) { update request { Calling-Station-ID := "${1}" } } You'll have to modify it for your needs, but that's the basic idea. Alan DeKok.
Thank you for responding but, FR is acting the same and I always get a reject from the checkval module because the Calling-Station-Id is still the same : rlm_checkval: Item Name: Calling-Station-Id, Value: lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# rlm_checkval: Value Name: Calling-Station-Id, Value: 94:a7:b7:3e:93:5b ++[checkval] returns reject I know it's the problem of the NAS but I can't change that infortunately so I have to adjust my server to that form. So could you please give me a detailed solution for this 2018-06-22 12:32 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Jun 22, 2018, at 7:27 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
Could someone help me to strip the calling station id recieved in the request to use it later for the checkval module.
I am applying the mac authentication using checkval but the problem is
that
I am recieving a long calling station id containing the mac address.
this is an exemple of the calling station id recieved : lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b#
That's not normally the recommended form. But NAS vendors are inventive. <sigh>
The NAS-Port-ID attribute should really be used for that kind of information.
its always in this format and I only want to extract the mac address from it. I dont know if it can be achieved using unlang or anything else.
Use a regular expression:
update request { NAS-Port-Id += &Calling-Station-ID }
if (Calling-Station-Id =~ /pppoe ([^#]+#/) { update request { Calling-Station-ID := "${1}" } }
You'll have to modify it for your needs, but that's the basic idea.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jun 22, 2018, at 8:46 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
Thank you for responding but,
FR is acting the same and I always get a reject from the checkval module because the Calling-Station-Id is still the same :
rlm_checkval: Item Name: Calling-Station-Id, Value: lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# rlm_checkval: Value Name: Calling-Station-Id, Value: 94:a7:b7:3e:93:5b ++[checkval] returns reject
READ the debug output. It's not difficult.
I know it's the problem of the NAS but I can't change that infortunately so I have to adjust my server to that form.
The solution I gave you will work.
So could you please give me a detailed solution for this
I did. Now read http://wiki.freeradius.org/list-help, AND http://wiki.freeradius.org/radiusd-X Alan DeKok.
This is the whole debug from my server containing the service start and a recieved request : FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Jul 26 2017 at 15:30:42 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 3 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 0 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm ttnet.tn { } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/freeradius/sql.conf sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "root" password = "radius" radius_db = "radius" read_groups = yes sqltrace = yes sqltracefile = "/var/log/freeradius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, login, attribute, value, op FROM ttnet_tn WHERE login = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT into radpostauth (username, pass, mac, nasipaddress, reply, authdate, raison) values ('%{User-Name}', '%{User-Password:-Pap-Password}', '%{Calling-Station-Id}', '%{NAS-IP-Address}', '%{reply:Packet-Type}', NOW(), '%{reply:Reply-Message}')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Read entry nasname=192.168.80.1,shortname=RADloginTest,secret=testingserver rlm_sql (sql): Adding client 192.168.80.1 (RADloginTest, server=<none>) to clients list rlm_sql (sql): Released sql socket id: 4 Module: Linked to module rlm_always Module: Instantiating module "reject" from file /etc/freeradius/modules/always always reject { rcode = "reject" simulcount = 0 mpp = no } Module: Linked to module rlm_checkval Module: Instantiating module "checkval" from file /etc/freeradius/modules/checkval checkval { item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Instantiating module "IPASS" from file /etc/freeradius/modules/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /etc/freeradius/modules/counter counter daily { filename = "/etc/freeradius/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" allowed-servicetype = "Framed-User" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1529672629 [2018-06-22 14:03:49], Next reset 1529708400 [2018-06-23 00:00:00] Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /etc/freeradius/modules/detail.log detail reply_log { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 59698 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.80.1 port 54521, id=40, length=165 User-Name = "ammar@ttnet.tn" Acct-Session-Id = "1529672645N70tfy" NAS-IP-Address = 192.168.200.159 NAS-Identifier = "ASR1_LNS" NAS-Port = 6819 Calling-Station-Id = "lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b#" User-Password = "12345" Message-Authenticator = 0x5c75369c7b4b832b1b8af8d78ca7e583 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[request] returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "ttnet.tn" for User-Name = "ammar@ttnet.tn" [suffix] Found realm "ttnet.tn" [suffix] Adding Stripped-User-Name = "ammar" [suffix] Adding Realm = "ttnet.tn" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 127 [files] expand: /temp/auth_backup.sh %{Stripped-User-Name} %{User-Password} %{Calling-Station-Id} -> /temp/auth_backup.sh ammar 12345 lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# ++[files] returns ok [sql] expand: %{Stripped-User-Name} -> ammar [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> ammar [sql] sql_set_user escaped user --> 'ammar' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, login, attribute, value, op FROM ttnet_tn WHERE login = '%{SQL-User-Name}' ORDER BY id -> SELECT id, login, attribute, value, op FROM ttnet_tn WHERE login = 'ammar' ORDER BY id rlm_sql_mysql: query: SELECT id, login, attribute, value, op FROM ttnet_tn WHERE login = 'ammar' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ammar' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'ammar' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'ammar' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'ammar' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE rlm_checkval: Item Name: Calling-Station-Id, Value: lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# rlm_checkval: Value Name: Calling-Station-Id, Value: 94:a7:b7:3e:93:5b ++[checkval] returns reject ++? if (reject) ? Evaluating (reject) -> TRUE ++? if (reject) -> TRUE ++- entering if (reject) {...} +++[reply] returns reject +++[reject] returns reject ++- if (reject) returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} ++[reply] returns noop [sql] expand: %{Stripped-User-Name} -> ammar [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> ammar [sql] sql_set_user escaped user --> 'ammar' [sql] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql] expand: INSERT into radpostauth (username, pass, mac, nasipaddress, reply, authdate, raison) values ('%{User-Name}', '%{User-Password:-Pap-Password}', '%{Calling-Station-Id}', '%{NAS-IP-Address}', '%{reply:Packet-Type}', NOW(), '%{reply:Reply-Message}') -> INSERT into radpostauth (username, pass, mac, nasipaddress, reply, authdate, raison) values ('ammar@ttnet.tn', '12345', 'lag-50:1201.0=23BNG Kasbah=23=23=23pppoe 94:a7:b7:3e:93:5b=23', '192.168.200.159', 'Access-Reject', NOW(), 'MAC differente') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (username, pass, mac, nasipaddress, reply, authdate, raison) values ('ammar@ttnet.tn', '12345', 'lag-50:1201.0=23BNG Kasbah=23=23=23pppoe 94:a7:b7:3e:93:5b=23', '192.168.200.159', 'Access-Reject', NOW(), 'MAC differente') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT into radpostauth (username, pass, mac, nasipaddress, reply, authdate, raison) values ('ammar@ttnet.tn', '12345', 'lag-50:1201.0=23BNG Kasbah=23=23=23pppoe 94:a7:b7:3e:93:5b=23', '192.168.200.159', 'Access-Reject', NOW(), 'MAC differente') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok [attr_filter.access_reject] expand: %{User-Name} -> ammar@ttnet.tn attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 40 to 192.168.80.1 port 54521 Reply-Message = "MAC differente" Finished request 0. Going to the next request Waking up in 2.9 seconds. Cleaning up request 0 ID 40 with timestamp +17 Ready to process requests. 2018-06-22 13:51 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Jun 22, 2018, at 8:46 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
Thank you for responding but,
FR is acting the same and I always get a reject from the checkval module because the Calling-Station-Id is still the same :
rlm_checkval: Item Name: Calling-Station-Id, Value: lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# rlm_checkval: Value Name: Calling-Station-Id, Value: 94:a7:b7:3e:93:5b ++[checkval] returns reject
READ the debug output. It's not difficult.
I know it's the problem of the NAS but I can't change that infortunately so I have to adjust my server to that form.
The solution I gave you will work.
So could you please give me a detailed solution for this
I did.
Now read http://wiki.freeradius.org/list-help, AND http://wiki.freeradius.org/radiusd-X
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jun 22, 2018, at 9:06 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
This is the whole debug from my server containing the service start and a recieved request :
Which doesn't include the regular expression I said to use. So... where did you put it? And why did you put it there? It should go into the "authorize" section of "sites-enabled/default". This should be clear from the documentation, examples, and debug output. Since you're running 2.1.12 (WHY? there's NO reason for that), you'll have to use this instead: update request { NAS-Port-Id += "%{Calling-Station-ID}" } if (Calling-Station-Id =~ /pppoe ([^#]+#/) { update request { Calling-Station-ID := "${1}" } } And PLEASE think about where you put that piece. It does matter. And no, I'm not going to tell you. At some point you need to *understand* the configuration. Now is a good time to learn. Alan DeKok.
I am asking this because I am new to freeradius and Ive already put it in the authorize section of "sites-enabled/default" -actually its the first thing in that section- and in the debug output it indicates notfound and now since i've changed it the debug stops with an error : WARNING: No such configuration item 1 /etc/freeradius/sites-enabled/default[77]: Reference "${1}" not found 2018-06-22 14:13 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Jun 22, 2018, at 9:06 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
This is the whole debug from my server containing the service start and a recieved request :
Which doesn't include the regular expression I said to use.
So... where did you put it? And why did you put it there?
It should go into the "authorize" section of "sites-enabled/default". This should be clear from the documentation, examples, and debug output.
Since you're running 2.1.12 (WHY? there's NO reason for that), you'll have to use this instead:
update request { NAS-Port-Id += "%{Calling-Station-ID}" }
if (Calling-Station-Id =~ /pppoe ([^#]+#/) { update request { Calling-Station-ID := "${1}" } }
And PLEASE think about where you put that piece. It does matter. And no, I'm not going to tell you. At some point you need to *understand* the configuration. Now is a good time to learn.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jun 22, 2018, at 9:41 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
I am asking this because I am new to freeradius
That's OK...
and Ive already put it in the authorize section of "sites-enabled/default" -actually its the first thing in that section-
No, it isn't. It looks like you put in the "update" block. But not the "if" block. Put in ALL of it.
and in the debug output it indicates notfound and now since i've changed it the debug stops with an error :
WARNING: No such configuration item 1 /etc/freeradius/sites-enabled/default[77]: Reference "${1}" not found
That's a typo on my end, sorry. Replace it with %{1} Alan DeKok.
I am sure that I've put all of it there and now when I replaced it with %{1} I have a different result in the debug output : # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} expand: %{Calling-Station-ID} -> lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# ++[request] returns notfound ++? if (Calling-Station-Id =~ /pppoe ([^#]+#/) ERROR: Failed compiling regular expression: Unmatched ( or \( 2018-06-22 14:44 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Jun 22, 2018, at 9:41 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
I am asking this because I am new to freeradius
That's OK...
and Ive already put it in the authorize section of "sites-enabled/default" -actually its the first thing in that section-
No, it isn't. It looks like you put in the "update" block. But not the "if" block.
Put in ALL of it.
and in the debug output it indicates notfound and now since i've changed it the debug stops with an error :
WARNING: No such configuration item 1 /etc/freeradius/sites-enabled/default[77]: Reference "${1}" not found
That's a typo on my end, sorry. Replace it with %{1}
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jun 22, 2018, at 9:53 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
I am sure that I've put all of it there and now when I replaced it with %{1} I have a different result in the debug output :
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} expand: %{Calling-Station-ID} -> lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# ++[request] returns notfound ++? if (Calling-Station-Id =~ /pppoe ([^#]+#/) ERROR: Failed compiling regular expression: Unmatched ( or \(
Use: if (Calling-Station-Id =~ /pppoe ([^#]+#)/) Alan DeKok.
Well this is amazing, going to the right direction, now the calling-station-id is = 94:a7:b7:3e:93:5b# so there is the extra # in it if I can put that away it would work perfectly !! 2018-06-22 14:54 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Jun 22, 2018, at 9:53 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
I am sure that I've put all of it there and now when I replaced it with %{1} I have a different result in the debug output :
# Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} expand: %{Calling-Station-ID} -> lag-50:1201.0#BNG Kasbah###pppoe 94:a7:b7:3e:93:5b# ++[request] returns notfound ++? if (Calling-Station-Id =~ /pppoe ([^#]+#/) ERROR: Failed compiling regular expression: Unmatched ( or \(
Use:
if (Calling-Station-Id =~ /pppoe ([^#]+#)/)
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jun 22, 2018, at 10:04 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
Well this is amazing, going to the right direction, now the calling-station-id is = 94:a7:b7:3e:93:5b# so there is the extra # in it if I can put that away it would work perfectly !!
Use: if (Calling-Station-Id =~ /pppoe ([^#]+)#/) That should be it. Finally... Alan DeKok.
Yes finally !! thank you for your time and sorry for all these questions, I am totally new to freeradius. I hope the NAS doesn't change the form or I will be screwed ! 2018-06-22 15:08 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Jun 22, 2018, at 10:04 AM, Kefi Ammar . <kefiammar@gmail.com> wrote:
Well this is amazing, going to the right direction, now the calling-station-id is = 94:a7:b7:3e:93:5b# so there is the extra # in it if I can put that away it would work perfectly !!
Use:
if (Calling-Station-Id =~ /pppoe ([^#]+)#/)
That should be it. Finally...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
hi,
I hope the NAS doesn't change the form or I will be screwed !
one would assume that the MAC address would always be there - so if you wrote a regex that matched the MAC address as its core component rather than care about the start and end , you would still get that value out as the %{1} return - left as a nice exercise for you :) alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Kefi Ammar .