Compare request:Calling-Station-Id with control:Calling-Station-Id

Alan DeKok aland at deployingradius.com
Fri Nov 21 17:14:43 CET 2014 

Stabla, Daniel wrote:
> The debug output (generated with radiusd -X ) says "everything" is fine.

  Uh... no.

> Maybe you will see an error/mistake anywhere:

  I'm curious to know.  Did you read it?

  Because I don't think you did.  I think you looked for
Calling-Station-Id, and ignored everything else.

> (0) Received Access-Request packet from host 192.168.0.1 port 3072,
> id=168, length=200
> (0)     User-Name = 'dstabla'
> (0)     Service-Type = Framed-User
> (0)     NAS-IP-Address = 192.168.0.1
> (0)     NAS-Port = 1
> (0)     NAS-Port-Id = '1'
> (0)     Called-Station-Id = 'XX-XX-XX-XX-XX-XX:WLAN TEST'
> (0)     Calling-Station-Id = '11-22-33-44-55-66'
> (0)     Connect-Info = 'CONNECT 144 Mbps 802.11g/n'
> (0)     NAS-Identifier = 'wpa'
> (0)     NAS-Port-Type = Wireless-802.11
> (0)     Framed-MTU = 1500
> (0)     EAP-Message = 0x0201000f015a445c64737461626c61
> (0)     Message-Authenticator = 0x8e155265de6f1dee6dbfd87f96ab73af
> (0) # Executing section authorize from file
> /tmp/test/etc/raddb/sites-enabled/default
> (0)   authorize {

  So... it starts reading the "authorize" section.

> (0) EXPAND %{control:Calling-Station-Id}
> (0)    -->                 #<=============================== missing,
> should be known from radius-station-ids
> (0) EXPAND %{control:NAS-Identifier}
> (0)    -->                 #<=============================== missing,
> should be known from radius-station-ids
> (0) EXPAND %{request:Calling-Station-Id}
> (0)    --> 11-22-33-44-55-66
> (0)    if (&request:Calling-Station-Id == &control:Calling-Station-Id)

  And checks *immediately* for control:Calling-Station-Id.

  So... where does control:Calling-Station-Id come from?

  Not from the "users" file.  You've put that check in "authorize"
*before* the users file is read.

  If you had *read* the debug output, it should have been obvious that
is wasn't reading the "users" file.  (Or wherever you put the entries to
set control:Calling-Station-Id.

  And for working in v2... the reason it works there is that the
"authorize" section is different.  When you moved this to 3.0, you
didn't re-use the same (or similar) authorize section.  Instead, you
re-wrote it, and re-arranged things.

  And that's why it doesn't work.

  Alan DeKok.

More information about the Freeradius-Users mailing list