msRADIUSFramedIPAddress AD attribute

Júlíus Þór Bess Ríkharðsson julius.bess at
Thu Jul 25 11:54:38 CEST 2013


I have put together a small python script using some VB code I found on a website. This is the conversion function:

def msRADIUSFramedIPAddress_to_IPString(msRADIUSFramedIPAddress):
        # Some code a took from:
        FOURTH_OCTET = 1
        THIRD_OCTET = 256
        SECOND_OCTET = 65536
        FIRST_OCTET = 16777216

        msRADval = msRADIUSFramedIPAddress
        intFirstMod = 0
        intSecondMod = 0
        intThirdMod = 0

        strIPList = []

        # Microsoft subtracts 4294967296 from numbers above 2147483647 to
        # make them negative to make it, sort of, unsigned.
        if(int(msRADval) < 0):
                msRADval = int(msRADval) + 4294967296

        strIPList.append(str(int(msRADval) // FIRST_OCTET))
        intFirstMod = int(msRADval) % FIRST_OCTET
        strIPList.append(str(intFirstMod // SECOND_OCTET))
        intSecondMod = intFirstMod % SECOND_OCTET
        strIPList.append(str(intSecondMod // THIRD_OCTET))
        intThirdMod = intSecondMod % THIRD_OCTET
        strIPList.append(str(intThirdMod // FOURTH_OCTET))

        return '.'.join(strIPList)

I hope someone can make use of it.

Kær kveðja / Best regards

Júlíus Þór Bess Ríkharðsson
Netsérfræðingur / Network Administrator
Nýherji Hf.
Borgartún 37 - 105 Reykjavík

+354 516 1000
Email: julius.bess at

+354 516 1600
Netsíða: at wrote: -----
To: FreeRadius users mailing list <freeradius-users at>
From: Alan DeKok 
Sent by: at
Date: 06/11/2013 04:02PM
Subject: Re: msRADIUSFramedIPAddress AD attribute

Júlíus Þór Bess Ríkharðsson wrote:
> Thanks for a truly great RADIUS server!

  It's what we do. :)

> I was wondering whether you guys have a way of dealing with Microsoft's
> strange representation of an IP address, in the msRADIUSFramedIPAddress
> attribute, to get something useful like an actual ip address? :)

  That's a hard question.  The msRADIUSFramedIPAddress is a binary
32-bit IP address.  FreeRADIUS assumes that all of the data it gets from
LDAP is printable strings.

  There's no simple way to handle this in v2.  I'd suggest writing a
short Perl script.

  This can be done in v3:

- map the LDAP attribute to a RADIUS attribute of type "octets"

	update reply {
		Framed-IP-Address = &Attribute-of-type-Octets

  And it will magically work.

  Alan DeKok.
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list