rewrite User-Name in received Access-Request - tough question :)

Bojan Pogacar bojan at
Sun Oct 28 09:45:03 CET 2012


This is my first post on this mailing list. I hope someone can give me 
an advice over my problem that I am solving over a month. I even bought 
a book about freeradius and after reading it twice there is not an 
answer to my problem.

I run a captive portal for wireless users with radius and all data 
stored in MySQL database. Majority of users type username and password 
in captive portal to get access and a few others are automatically 
authenticated by their MAC address (as username ) and predefined 
password (macauth feature in CoovaChilli) and those never see a captive 
portal, they immediately get access as they connect to the network. 
Those users don't have any bandwidth limits, all other useres do have.

So far so good.

Then they wanted me to change login procedure. All users would get free 
access for 30 minutes per day and they don't have to login through 
captive portal. After 30 minutes, captive portal would open and user 
would have to login with some coupone to connect to the internet.

I've solved this by writing these two lines in file "hints"

DEFAULT User-Name =~ 
        User-Name := "freeinternetfor30minutes"

It worked very well except all users previously authenticated by MAC 
address didn't get theis own profiles, but they got logged in as 
"freeinternetfor30minutes" with bandwidth limitations.

OK, that was logical, I deleted those two lines and wrote some unlung 
logic to the "sites-available/default"

         if(notfound){ #if user not in database
                 update reply {
                     Reply-Message := "Wrong username or password"
		# if username was MAC address, try to login as "freeinternetfor30minutes"

                 if (User-Name 
                         update reply {
                                 Reply-Message := "Hello Guest, I'will 
try to give you 30 minutes for free, if you didn't allready used it."

                         update request{
                                 User-Name := "freeinternetfor30minutes"

                         update control {
                                 Auth-Type := "Accept"

                else {
                       ok = reject

That is working fine, users can connect to the network, BUT accounting 
section logges their username in database as original MAC address, not 
rewritted username freeinternetfor30minutes . Also no bandwidth 
limitations arn't sent with Access-Accept, but I think that could be 
solved easyly.

I've also tries to use module "attr_rewrite". I wrote those lines of 
code to "modules/attr_rewrite"

attr_rewrite rewrite_user {
         attribute = User-Name
         # may be "packet", "reply", "proxy", "proxy_reply" or "config"
         searchin = packet
         searchfor = "%{User-Name}"
         replacewith = "freeinternetfor30minutes"
         ignore_case = no
         new_attribute = no
         max_matches = 10
         append = no

and unhashed rewrite_user in "sites-available/default". I see that 
rewriting does happen, BUT then
update control {
	Auth-Type := "Accept"

seems to stop working even if I put rewrite_user before "update control" 
AND also in accounting section User-Name is still MAC address, not 
rewritten username.

I am stuck now, without any idea. Can anyone tell me, is this even 
possible what I am trying to do and if so, what path should I take.

Would it be possible to create new virtual server and pass rewritten 
username to that virtual server, which would try to login as 

THANK YOU for your help!

Best Regards, Bojan

More information about the Freeradius-Users mailing list