Slight issue after having migrated to v3.0.10 from v2.5

Bertalan Voros bertalan.voros at gmail.com
Thu Nov 5 17:54:46 CET 2015


Hello All,

I have just migrated our existing v2.5 server's config to a new one using
the most recent stable version.

The migration was done by editing each configuration file one by one, none
of the files were directly copied.

All is well, everything appears to be working as expected apart from one
slight problem.

There is a mac address check in the Authorize section that doesn't seem to
take effect any more. Nobody gets rejected.

Code and debug log below. I know it might be staring me in the eye but has
been unable to find what could be causing it.

Code:
        if (Called-Station-ID =~ /:SSID-Here$/) {
                rewrite_calling_station_id
                if(!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE
mac = '%{Calling-Station-ID}' = 1}"){
                        reject
                }
        }

Debug log:
(991) Received Access-Request Id 39 from 10.x.x.x:40001 to 10.11.0.83:1812
length 170
(991)   User-Name = "Nexus7xx"
(991)   NAS-IP-Address =
(991)   NAS-Port = 0
(991)   Called-Station-Id = "02-18-4A-14-82-B0:SSID-Here"
(991)   Calling-Station-Id = "BC-EE-7B-A3-6D-D9"
(991)   Framed-MTU = 1400
(991)   NAS-Port-Type = Wireless-802.11
(991)   Connect-Info = "CONNECT 0Mbps 802.11b"
(991)   EAP-Message = 0x02b800061900
(991)   State = 0xc63b617ec58378d04d8f1ca50d306f26
(991)   Message-Authenticator = 0x16faf8f9d4f9b38c39415aee
(991) session-state: No cached attributes
(991) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(991)   authorize {
(991)     policy filter_username {
(991)       if (!&User-Name) {
(991)       if (!&User-Name)  -> FALSE
(991)       if (&User-Name =~ / /) {
(991)       if (&User-Name =~ / /)  -> FALSE
(991)       if (&User-Name =~ /@.*@/ ) {
(991)       if (&User-Name =~ /@.*@/ )  -> FALSE
(991)       if (&User-Name =~ /\.\./ ) {
(991)       if (&User-Name =~ /\.\./ )  -> FALSE
(991)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(991)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(991)       if (&User-Name =~ /\.$/)  {
(991)       if (&User-Name =~ /\.$/)   -> FALSE
(991)       if (&User-Name =~ /@\./)  {
(991)       if (&User-Name =~ /@\./)   -> FALSE
(991)     } # policy filter_username = notfound
(991)     [preprocess] = ok
(991)     if (Called-Station-ID =~ /:SSID-Here$/) {
(991)     if (Called-Station-ID =~ /:SSID-Here$/)  -> TRUE
(991)     if (Called-Station-ID =~ /:SSID-Here$/)  {
(991)       policy rewrite_calling_station_id {
(991)         if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
(991)         if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
-> TRUE
(991)         if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
{
(991)           update request {
(991)             EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(991)                --> bc-ee-7b-a3-6d-d9
(991)             Calling-Station-Id := bc-ee-7b-a3-6d-d9
(991)           } # update request = noop
(991)         } # if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
= noop
(991)         ... skipping else for request 991: Preceding "if" was taken
(991)       } # policy rewrite_calling_station_id = noop
(991)       if (!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac
= '%{Calling-Station-ID}' = 1}"){
rlm_sql (sql_mac): Reserved connection (13)
(991)       Executing select query: SELECT COUNT(*) FROM wifi.macaddress
WHERE mac = 'bc-ee-7b-a3-6d-d9' = 1
rlm_sql (sql_mac): Released connection (13)
(991)       EXPAND %{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac
= '%{Calling-Station-ID}' = 1}
(991)          --> 0
(991)       if (!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac
= '%{Calling-Station-ID}' = 1}") -> FALSE
(991)     } # if (Called-Station-ID =~ /:SSID-Here$/)  = noop
(991)     [mschap] = noop
(991)     if (!EAP-Message) {
(991)     if (!EAP-Message)  -> FALSE
(991) eap: Peer sent EAP Response (code 2) ID 184 length 6
(991) eap: Continuing tunnel setup
(991)     [eap] = ok
(991)   } # authorize = ok


More information about the Freeradius-Users mailing list