How to use rewrite.called_station_id IN dynamic clients authorize section

James Wood james.wood at
Thu Mar 26 09:35:35 CET 2015


We use dynamic clients + sql for our authentication of NAS devices. We also use rlm_raw because we cannot auth on the IP Address (because of not knowing all the dynamic IP's clients are coming from), so we auth on the Called-Station-Id value.

In normal circumstances this works beautifully, but when we have a NAS that sends the Called-Station-Id value as AABBCCDDEEFF with no colon or hyphen, auth fails, because in our SQL database we store the MAC like AA-BB-CC-DD-EE-FF. I already use SQL to replace colon with hyphen, but I am struggling with if it has no delimiter at all. For this particular NAS client, there is no way to change the format of the Called-Station-Id value it is sending so I need something on the FreeRadius side.

I tried using the rewrite.called_station_id module from policy.conf and whilst it does not error it doesn't rewrite the incoming Called-Station-Id to the format I require.

Here is my dynamic clients file:

client dymamic {

server dynamic_client_server {
        authorize {
                #Test to see if our required raw attribute exists
                        #Test to see if it is in the DB
                        if ("%{sql: select count(*) from nas where community=REPLACE(SUBSTRING(\"%{Called-Station-Id}\",1,17),\":\",\"-\")}" == 1) {
                                update control {

I suspect it's a problem because we are using raw:Called-Station-Id because before auth Called-Station-Id itself is not accessible.

Is it possible to just have a rewrite block in the authorize section of dynamic clients so it can rewrite the raw value there?

Thank you,


More information about the Freeradius-Users mailing list