rewrite User-Name in received Access-Request - tough question :)
Bojan Pogacar
bojan at gajba.net
Sun Oct 28 09:45:03 CET 2012
Hello!
This is my first post on this mailing list. I hope someone can give me
an advice over my problem that I am solving over a month. I even bought
a book about freeradius and after reading it twice there is not an
answer to my problem.
I run a captive portal for wireless users with radius and all data
stored in MySQL database. Majority of users type username and password
in captive portal to get access and a few others are automatically
authenticated by their MAC address (as username ) and predefined
password (macauth feature in CoovaChilli) and those never see a captive
portal, they immediately get access as they connect to the network.
Those users don't have any bandwidth limits, all other useres do have.
So far so good.
Then they wanted me to change login procedure. All users would get free
access for 30 minutes per day and they don't have to login through
captive portal. After 30 minutes, captive portal would open and user
would have to login with some coupone to connect to the internet.
I've solved this by writing these two lines in file "hints"
DEFAULT User-Name =~
"^[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9AF]{2}-[0-9A-F]{2}-[0-9A-F]{2}$"
User-Name := "freeinternetfor30minutes"
It worked very well except all users previously authenticated by MAC
address didn't get theis own profiles, but they got logged in as
"freeinternetfor30minutes" with bandwidth limitations.
OK, that was logical, I deleted those two lines and wrote some unlung
logic to the "sites-available/default"
if(notfound){ #if user not in database
update reply {
Reply-Message := "Wrong username or password"
}
# if username was MAC address, try to login as "freeinternetfor30minutes"
if (User-Name
=~/^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i){
update reply {
Reply-Message := "Hello Guest, I'will
try to give you 30 minutes for free, if you didn't allready used it."
}
update request{
User-Name := "freeinternetfor30minutes"
}
update control {
Auth-Type := "Accept"
}
}
else {
ok = reject
}
#rewrite_user
}
That is working fine, users can connect to the network, BUT accounting
section logges their username in database as original MAC address, not
rewritted username freeinternetfor30minutes . Also no bandwidth
limitations arn't sent with Access-Accept, but I think that could be
solved easyly.
I've also tries to use module "attr_rewrite". I wrote those lines of
code to "modules/attr_rewrite"
attr_rewrite rewrite_user {
attribute = User-Name
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
searchin = packet
searchfor = "%{User-Name}"
replacewith = "freeinternetfor30minutes"
ignore_case = no
new_attribute = no
max_matches = 10
append = no
}
and unhashed rewrite_user in "sites-available/default". I see that
rewriting does happen, BUT then
update control {
Auth-Type := "Accept"
}
seems to stop working even if I put rewrite_user before "update control"
AND also in accounting section User-Name is still MAC address, not
rewritten username.
I am stuck now, without any idea. Can anyone tell me, is this even
possible what I am trying to do and if so, what path should I take.
Would it be possible to create new virtual server and pass rewritten
username to that virtual server, which would try to login as
"freeinternetfor30minutes"
THANK YOU for your help!
Best Regards, Bojan
More information about the Freeradius-Users
mailing list