How to use rewrite.called_station_id IN dynamic clients authorize section

Thu Mar 26 15:27:33 CET 2015

2015-03-26 14:36 GMT+01:00 James Wood <james.wood at purplewifi.com>:
> Adam,
>
> I would love to, but it is not under our control. As a hotspot provider,
> that supplies tens of thousands of customers around the world, all using
> different IP addresses (that change), we simply cannot use the normal way of
> auth via the source IP. We do not own the customers (NAS) equipment, or have
> control over it, so we can't make them VPN all traffic to us or other way.
> This is why we're having to auth on Called-Station-Id instead of IP Address.

Does that mean that you neither supply nor enforce a list of accepted
devices but that customers can use any wifi AP they want? What if one
of these devices doesn't send a Called-Station-Id at all or uses the
MAC of the supplicant (which should be Calling-Station-Id) for the
Called-Station-Id? Do you then disallow the usage of that NAS or do
you try to modify your Radius to also accept these NAS data too?

My NAS all have static IPs, all supplicants have dynamic IPs, however
(yet) my Radius doesn't check for IPs but only for Called-Station-Id,
Called-Station-Ssid and Calling-Station-Id so it would work in a
complete dynamic ip setup too.

> If you can think of a better way, please advise.

1) Don't use unlang (if () {} ...) in the server configurations.
Instead simply call a policy (eg. policy.sanitize_called-station-id)
and do all the if then else stuff in that policy itself. It keeps your
server config clean and you can easily disable a policy without having
to comment out or delete plenty of lines.

2) Sanitize all informations you get as soon as possible so that you
don't have to tweak over and over again for subsequent checks you may
be doing in the future.

> My original question remains, how can the module rewrite.called_station_id
> be used with a dynamic client setup? At the moment it does not work, so is
> that a bug, problem with my code, or something else?

# sites-enabled/something
server something {
...
authorize {
policy.sanitize_called-station-id
...
}
...
}

# policy.conf
mac-addr-regexp =
'([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})'

policy.sanitize_called-station-id {
        if (&Called-Station-Id && (&Called-Station-Id =~
/^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
                update request {
                        &Called-Station-Id :=
"%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
                }
                updated
        }
        else {
                noop
        }
}

That's it. As I wrote in my previous email that regex is the standard
in the freeradius source 3.0.7 and as well in the old 2.1.12 debian
package and it matches variants of the following:

00-11-22-33-44-55
00-11-22-33-44-55:SSID

Also the delimiter can be anything except 0-9 or a-f so even
00Z11=22$33(44)55 (and for sure 001122334455) would be sanitized to
00-11-22-33-44-55. In my setup I also use Called-Station-Ssid but you
don't use it in your setup I just removed the lines. Regardless of if
a customers NAS sends the SSID suffixed to the mac address or not, the
Called-Station-Id will always gets rewritten to 00-11-22-33-44-55 and
the maybe attched SSID gets dropped.

If you want to know why your current setup is not working, send your
policy.conf to me (not the list). Maybe someone "improved" your regex
and that's why it's not matching and thus not rewriting :)

Best regards,

Ben