rewrite_calling_station_id not working

aaronrus at comcast.net aaronrus at comcast.net
Sun Nov 25 23:44:44 CET 2012


I've been following the guide at http://wiki.freeradius.org/guide/Mac-Auth I completed the section called Mac-Auth and 802.1x The issue im having is with the rewrite_calling_station_id. 

If I comment this out and make sure the authorized_macs file has the mac listed just like the access point sends it everything works. The problem is not all access points send the mac in the same format. Some may send it in upper case and some in lower case and with 30 plus access points I need to make sure its formatted correctly Which is what rewrite_calling_station_id should do. 

In the log below authorized_macs has the mac address in lower case. rewrite_calling_station_id should should solve this but does not. In order to get it working I commented out rewrite_calling_station_id and changed the mac in the authorized_macs file to upper case. 

I'm using ubuntu 10.4, FreeRADIUS Version 2.1.8 
I noticed this WARNING: Unknown module "tolower" in string expansion "%" in the rejected log. 
I have searched for a tolower program but can not find one to install. 

What package is tolower part of ? 
What am I missing? 

Here is the policy.conf file 
# Rewrite called station id attribute into a standard format.
#
rewrite_calling_station_id {
        if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
                update request {
                        Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
                }
        }
        else {
                noop
        }
} 

Here is the rejected log 

FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ... 
including configuration file /etc/freeradius/radiusd.conf 
including configuration file /etc/freeradius/proxy.conf 
including configuration file /etc/freeradius/clients.conf 
including files in directory /etc/freeradius/modules/ 
including configuration file /etc/freeradius/modules/cui 
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login 
including configuration file /etc/freeradius/modules/etc_group 
including configuration file /etc/freeradius/modules/detail.example.com 
including configuration file /etc/freeradius/modules/otp 
including configuration file /etc/freeradius/modules/logintime 
including configuration file /etc/freeradius/modules/radutmp 
including configuration file /etc/freeradius/modules/inner-eap 
including configuration file /etc/freeradius/modules/chap 
including configuration file /etc/freeradius/modules/ldap 
including configuration file /etc/freeradius/modules/detail 
including configuration file /etc/freeradius/modules/attr_rewrite 
including configuration file /etc/freeradius/modules/mac2vlan 
including configuration file /etc/freeradius/modules/sql_log 
including configuration file /etc/freeradius/modules/expr 
including configuration file /etc/freeradius/modules/checkval 
including configuration file /etc/freeradius/modules/passwd 
including configuration file /etc/freeradius/modules/exec 
including configuration file /etc/freeradius/modules/smsotp 
including configuration file /etc/freeradius/modules/krb5 
including configuration file /etc/freeradius/modules/wimax 
including configuration file /etc/freeradius/modules/perl 
including configuration file /etc/freeradius/modules/realm 
including configuration file /etc/freeradius/modules/attr_filter 
including configuration file /etc/freeradius/modules/smbpasswd 
including configuration file /etc/freeradius/modules/policy 
including configuration file /etc/freeradius/modules/ntlm_auth 
including configuration file /etc/freeradius/modules/files 
including configuration file /etc/freeradius/modules/counter 
including configuration file /etc/freeradius/modules/echo 
including configuration file /etc/freeradius/modules/acct_unique 
including configuration file /etc/freeradius/modules/unix 
including configuration file /etc/freeradius/modules/ippool 
including configuration file /etc/freeradius/modules/mac2ip 
including configuration file /etc/freeradius/modules/digest 
including configuration file /etc/freeradius/modules/expiration 
including configuration file /etc/freeradius/modules/always 
including configuration file /etc/freeradius/modules/mschap 
including configuration file /etc/freeradius/modules/detail.log 
including configuration file /etc/freeradius/modules/sradutmp 
including configuration file /etc/freeradius/modules/linelog 
including configuration file /etc/freeradius/modules/pam 
including configuration file /etc/freeradius/modules/pap 
including configuration file /etc/freeradius/modules/preprocess 
including configuration file /etc/freeradius/eap.conf 
including configuration file /etc/freeradius/policy.conf 
including files in directory /etc/freeradius/sites-enabled/ 
including configuration file /etc/freeradius/sites-enabled/inner-tunnel 
including configuration file /etc/freeradius/sites-enabled/default 
main { 
user = "freerad" 
group = "freerad" 
allow_core_dumps = no 
} 
including dictionary file /etc/freeradius/dictionary 
main { 
prefix = "/usr" 
localstatedir = "/var" 
logdir = "/var/log/freeradius" 
libdir = "/usr/lib/freeradius" 
radacctdir = "/var/log/freeradius/radacct" 
hostname_lookups = no 
max_request_time = 30 
cleanup_delay = 5 
max_requests = 1024 
pidfile = "/var/run/freeradius/freeradius.pid" 
checkrad = "/usr/sbin/checkrad" 
debug_level = 0 
proxy_requests = yes 
log { 
stripped_names = no 
auth = no 
auth_badpass = no 
auth_goodpass = no 
} 
security { 
max_attributes = 200 
reject_delay = 1 
status_server = yes 
} 
} 
radiusd: #### Loading Realms and Home Servers #### 
proxy server { 
retry_delay = 5 
retry_count = 3 
default_fallback = no 
dead_time = 120 
wake_all_if_all_dead = no 
} 
home_server localhost { 
ipaddr = 127.0.0.1 
port = 1812 
type = "auth" 
secret = "testing123" 
response_window = 20 
max_outstanding = 65536 
require_message_authenticator = no 
zombie_period = 40 
status_check = "status-server" 
ping_interval = 30 
check_interval = 30 
num_answers_to_alive = 3 
num_pings_to_alive = 3 
revive_interval = 120 
status_check_timeout = 4 
irt = 2 
mrt = 16 
mrc = 5 
mrd = 30 
} 
home_server_pool my_auth_failover { 
type = fail-over 
home_server = localhost 
} 
realm example.com { 
auth_pool = my_auth_failover 
} 
realm LOCAL { 
} 
radiusd: #### Loading Clients #### 
client localhost { 
ipaddr = 127.0.0.1 
require_message_authenticator = no 
secret = "testing123" 
nastype = "other" 
} 
client 10.1.0.66 { 
require_message_authenticator = no 
secret = "testing123" 
shortname = "AP" 
} 
radiusd: #### Instantiating modules #### 
instantiate { 
Module: Linked to module rlm_exec 
Module: Instantiating exec 
exec { 
wait = no 
input_pairs = "request" 
shell_escape = yes 
} 
Module: Linked to module rlm_expr 
Module: Instantiating expr 
Module: Linked to module rlm_expiration 
Module: Instantiating expiration 
expiration { 
reply-message = "Password Has Expired " 
} 
Module: Linked to module rlm_logintime 
Module: Instantiating logintime 
logintime { 
reply-message = "You are calling outside your allowed timespan " 
minimum-timeout = 60 
} 
} 
radiusd: #### Loading Virtual Servers #### 
server inner-tunnel { 
modules { 
Module: Checking authenticate {...} for more modules to load 
Module: Linked to module rlm_pap 
Module: Instantiating pap 
pap { 
encryption_scheme = "auto" 
auto_header = no 
} 
Module: Linked to module rlm_chap 
Module: Instantiating chap 
Module: Linked to module rlm_mschap 
Module: Instantiating mschap 
mschap { 
use_mppe = yes 
require_encryption = no 
require_strong = no 
with_ntdomain_hack = no 
} 
Module: Linked to module rlm_unix 
Module: Instantiating unix 
unix { 
radwtmp = "/var/log/freeradius/radwtmp" 
} 
Module: Linked to module rlm_eap 
Module: Instantiating eap 
eap { 
default_eap_type = "peap" 
timer_expire = 60 
ignore_unknown_eap_types = no 
cisco_accounting_username_bug = no 
max_sessions = 4096 
} 
Module: Linked to sub-module rlm_eap_md5 
Module: Instantiating eap-md5 
Module: Linked to sub-module rlm_eap_leap 
Module: Instantiating eap-leap 
Module: Linked to sub-module rlm_eap_gtc 
Module: Instantiating eap-gtc 
gtc { 
challenge = "Password: " 
auth_type = "PAP" 
} 
Module: Linked to sub-module rlm_eap_tls 
Module: Instantiating eap-tls 
tls { 
rsa_key_exchange = no 
dh_key_exchange = yes 
rsa_key_length = 512 
dh_key_length = 512 
verify_depth = 0 
pem_file_type = yes 
private_key_file = "/etc/freeradius/certs/server.key" 
certificate_file = "/etc/freeradius/certs/server.pem" 
CA_file = "/etc/freeradius/certs/ca.pem" 
private_key_password = "whatever" 
dh_file = "/etc/freeradius/certs/dh" 
random_file = "/etc/freeradius/certs/random" 
fragment_size = 1024 
include_length = yes 
check_crl = no 
cipher_list = "DEFAULT" 
make_cert_command = "/etc/freeradius/certs/bootstrap" 
cache { 
enable = no 
lifetime = 24 
max_entries = 255 
} 
} 
Module: Linked to sub-module rlm_eap_ttls 
Module: Instantiating eap-ttls 
ttls { 
default_eap_type = "md5" 
copy_request_to_tunnel = no 
use_tunneled_reply = no 
virtual_server = "inner-tunnel" 
include_length = yes 
} 
Module: Linked to sub-module rlm_eap_peap 
Module: Instantiating eap-peap 
peap { 
default_eap_type = "mschapv2" 
copy_request_to_tunnel = no 
use_tunneled_reply = no 
proxy_tunneled_request_as_eap = yes 
virtual_server = "inner-tunnel" 
} 
Module: Linked to sub-module rlm_eap_mschapv2 
Module: Instantiating eap-mschapv2 
mschapv2 { 
with_ntdomain_hack = no 
} 
Module: Checking authorize {...} for more modules to load 
Module: Linked to module rlm_realm 
Module: Instantiating suffix 
realm suffix { 
format = "suffix" 
delimiter = "@" 
ignore_default = no 
ignore_null = no 
} 
Module: Linked to module rlm_files 
Module: Instantiating files 
files { 
usersfile = "/etc/freeradius/users" 
acctusersfile = "/etc/freeradius/acct_users" 
preproxy_usersfile = "/etc/freeradius/preproxy_users" 
compat = "no" 
} 
Module: Checking session {...} for more modules to load 
Module: Linked to module rlm_radutmp 
Module: Instantiating radutmp 
radutmp { 
filename = "/var/log/freeradius/radutmp" 
username = "%{User-Name}" 
case_sensitive = yes 
check_with_nas = yes 
perm = 384 
callerid = yes 
} 
Module: Checking post-proxy {...} for more modules to load 
Module: Checking post-auth {...} for more modules to load 
Module: Linked to module rlm_attr_filter 
Module: Instantiating attr_filter.access_reject 
attr_filter attr_filter.access_reject { 
attrsfile = "/etc/freeradius/attrs.access_reject" 
key = "%{User-Name}" 
} 
} # modules 
} # server 
server { 
modules { 
Module: Checking authenticate {...} for more modules to load 
Module: Checking authorize {...} for more modules to load 
Module: Linked to module rlm_preprocess 
Module: Instantiating preprocess 
preprocess { 
huntgroups = "/etc/freeradius/huntgroups" 
hints = "/etc/freeradius/hints" 
with_ascend_hack = no 
ascend_channels_per_line = 23 
with_ntdomain_hack = no 
with_specialix_jetstream_hack = no 
with_cisco_vsa_hack = no 
with_alvarion_vsa_hack = no 
} 
Module: Loading virtual module rewrite_calling_station_id 
Module: Linked to module rlm_always 
Module: Instantiating noop 
always noop { 
rcode = "noop" 
simulcount = 0 
mpp = no 
} 
Module: Instantiating authorized_macs 
files authorized_macs { 
usersfile = "/etc/freeradius/authorized_macs" 
compat = "no" 
key = "%{Calling-Station-ID}" 
} 
Module: Instantiating reject 
always reject { 
rcode = "reject" 
simulcount = 0 
mpp = no 
} 
Module: Checking preacct {...} for more modules to load 
Module: Linked to module rlm_acct_unique 
Module: Instantiating acct_unique 
acct_unique { 
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" 
} 
Module: Checking accounting {...} for more modules to load 
Module: Linked to module rlm_detail 
Module: Instantiating detail 
detail { 
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" 
header = "%t" 
detailperm = 384 
dirperm = 493 
locking = no 
log_packet_header = no 
} 
Module: Instantiating attr_filter.accounting_response 
attr_filter attr_filter.accounting_response { 
attrsfile = "/etc/freeradius/attrs.accounting_response" 
key = "%{User-Name}" 
} 
Module: Checking session {...} for more modules to load 
Module: Checking post-proxy {...} for more modules to load 
Module: Checking post-auth {...} for more modules to load 
} # modules 
} # server 
radiusd: #### Opening IP addresses and Ports #### 
listen { 
type = "auth" 
ipaddr = * 
port = 0 
} 
listen { 
type = "acct" 
ipaddr = * 
port = 0 
} 
Listening on authentication address * port 1812 
Listening on accounting address * port 1813 
Listening on proxy address * port 1814 
Ready to process requests. 
rad_recv: Access-Request packet from host 10.1.0.66 port 1520, id=0, length=198 
Message-Authenticator = 0x8e5270705f13e5bf4d6bf9b89ee8b33b 
Service-Type = Framed-User 
User-Name = "aaron" 
Framed-MTU = 1488 
Called-Station-Id = "40-01-C6-DD-CB-40:test-2.4GHz" 
Calling-Station-Id = "00-14-A4-1E-FF-B6" 
NAS-Identifier = "Access-Point-22" 
NAS-Port-Type = Wireless-802.11 
Connect-Info = "CONNECT 54Mbps 802.11g" 
EAP-Message = 0x0200000a016161726f6e 
NAS-IP-Address = 10.1.0.66 
NAS-Port = 1 
NAS-Port-Id = "STA port # 1" 
+- entering group authorize {...} 
++[preprocess] returns ok 
++- entering policy rewrite_calling_station_id {...} 
+++? if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
? Evaluating (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE 
+++? if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE 
+++- entering if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} 
WARNING: Unknown module "tolower" in string expansion "%" 
++++[request] returns ok 
+++- if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok 
+++ ... skipping else for request 0: Preceding "if" was taken 
++- policy rewrite_calling_station_id returns ok 
[authorized_macs] expand: %{Calling-Station-ID} -> 
++[authorized_macs] returns noop 
++? if (!ok) 
? Evaluating !(ok) -> TRUE 
++? if (!ok) -> TRUE 
++- entering if (!ok) {...} 
+++[reject] returns reject 
++- if (!ok) returns reject 
Using Post-Auth-Type Reject 
+- entering group REJECT {...} 
[attr_filter.access_reject] expand: %{User-Name} -> aaron 
attr_filter: Matched entry DEFAULT at line 11 
++[attr_filter.access_reject] returns updated 
Delaying reject of request 0 for 1 seconds 
Going to the next request 
Waking up in 0.9 seconds. 
Sending delayed reject for request 0 
Sending Access-Reject of id 0 to 10.1.0.66 port 1520 
Waking up in 4.9 seconds. 
rad_recv: Access-Request packet from host 10.1.0.66 port 1522, id=0, length=198 
Message-Authenticator = 0x770f506840dc4d2173ef986496b52844 
Service-Type = Framed-User 
User-Name = "aaron" 
Framed-MTU = 1488 
Called-Station-Id = "40-01-C6-DD-CB-40:test-2.4GHz" 
Calling-Station-Id = "00-14-A4-1E-FF-B6" 
NAS-Identifier = "Access-Point-22" 
NAS-Port-Type = Wireless-802.11 
Connect-Info = "CONNECT 54Mbps 802.11g" 
EAP-Message = 0x0200000a016161726f6e 
NAS-IP-Address = 10.1.0.66 
NAS-Port = 1 
NAS-Port-Id = "STA port # 1" 
+- entering group authorize {...} 
++[preprocess] returns ok 
++- entering policy rewrite_calling_station_id {...} 
+++? if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
? Evaluating (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE 
+++? if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> TRUE 
+++- entering if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} 
WARNING: Unknown module "tolower" in string expansion "%" 
++++[request] returns ok 
+++- if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok 
+++ ... skipping else for request 1: Preceding "if" was taken 
++- policy rewrite_calling_station_id returns ok 
[authorized_macs] expand: %{Calling-Station-ID} -> 
++[authorized_macs] returns noop 
++? if (!ok) 
? Evaluating !(ok) -> TRUE 
++? if (!ok) -> TRUE 
++- entering if (!ok) {...} 
+++[reject] returns reject 
++- if (!ok) returns reject 
Using Post-Auth-Type Reject 
+- entering group REJECT {...} 
[attr_filter.access_reject] expand: %{User-Name} -> aaron 
attr_filter: Matched entry DEFAULT at line 11 
++[attr_filter.access_reject] returns updated 
Delaying reject of request 1 for 1 seconds 
Going to the next request 
Waking up in 0.9 seconds. 
Sending delayed reject for request 1 
Sending Access-Reject of id 0 to 10.1.0.66 port 1522 
Waking up in 3.5 seconds. 
Cleaning up request 0 ID 0 with timestamp +16 
Waking up in 1.4 seconds. 
Cleaning up request 1 ID 0 with timestamp +17 
Ready to process requests. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121125/ba71abf7/attachment-0001.html>


More information about the Freeradius-Users mailing list