How to use rewrite.called_station_id IN dynamic clients authorize section

Alan DeKok aland at
Thu Mar 26 14:49:34 CET 2015

On Mar 26, 2015, at 8:36 AM, James Wood <james.wood at> wrote:
> I would love to, but it is not under our control. As a hotspot provider,
> that supplies tens of thousands of customers around the world, all using
> different IP addresses (that change), we simply cannot use the normal way of
> auth via the source IP. We do not own the customers (NAS) equipment, or have
> control over it, so we can't make them VPN all traffic to us or other way.
> This is why we're having to auth on Called-Station-Id instead of IP Address.

  I’m always surprised at just how *terrible* networks are.  There is simply no reason for WiFi access points to talk directly to your RADIUS server.  They should instead talk to to a local RADIUS server.  That RADIUS server should deal with local IP changes.  It should have a static IP to talk to your RADIUS server.

> If you can think of a better way, please advise.

  TBH, I’m not sure there is one.  I have serious issues with butchering the FreeRADIUS source to deal with broken networks.

> My original question remains, how can the module rewrite.called_station_id
> be used with a dynamic client setup? At the moment it does not work, so is
> that a bug, problem with my code, or something else?

  In v3, you can manually unpack binary attributes.  But rlm_raw won’t work there.

  You’ll have to write your own module for v2.

  Alan DeKok.

More information about the Freeradius-Users mailing list