Slight issue after having migrated to v3.0.10 from v2.5

Bertalan Voros bertalan.voros at gmail.com
Thu Nov 5 18:28:58 CET 2015 

It was staring me in the eye.
                if*(!"%{sql_mac:SELECT COUNT(*) FROM arguswifi.macaddress
WHERE mac = '%{Calling-Station-ID}'}" == 1)*{
                        reject
                }



On Thu, 5 Nov 2015 at 16:54 Bertalan Voros <bertalan.voros at gmail.com> wrote:

> Hello All,
>
> I have just migrated our existing v2.5 server's config to a new one using
> the most recent stable version.
>
> The migration was done by editing each configuration file one by one, none
> of the files were directly copied.
>
> All is well, everything appears to be working as expected apart from one
> slight problem.
>
> There is a mac address check in the Authorize section that doesn't seem to
> take effect any more. Nobody gets rejected.
>
> Code and debug log below. I know it might be staring me in the eye but has
> been unable to find what could be causing it.
>
> Code:
>         if (Called-Station-ID =~ /:SSID-Here$/) {
>                 rewrite_calling_station_id
>                 if(!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE
> mac = '%{Calling-Station-ID}' = 1}"){
>                         reject
>                 }
>         }
>
> Debug log:
> (991) Received Access-Request Id 39 from 10.x.x.x:40001 to 10.11.0.83:1812
> length 170
> (991)   User-Name = "Nexus7xx"
> (991)   NAS-IP-Address =
> (991)   NAS-Port = 0
> (991)   Called-Station-Id = "02-18-4A-14-82-B0:SSID-Here"
> (991)   Calling-Station-Id = "BC-EE-7B-A3-6D-D9"
> (991)   Framed-MTU = 1400
> (991)   NAS-Port-Type = Wireless-802.11
> (991)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (991)   EAP-Message = 0x02b800061900
> (991)   State = 0xc63b617ec58378d04d8f1ca50d306f26
> (991)   Message-Authenticator = 0x16faf8f9d4f9b38c39415aee
> (991) session-state: No cached attributes
> (991) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (991)   authorize {
> (991)     policy filter_username {
> (991)       if (!&User-Name) {
> (991)       if (!&User-Name)  -> FALSE
> (991)       if (&User-Name =~ / /) {
> (991)       if (&User-Name =~ / /)  -> FALSE
> (991)       if (&User-Name =~ /@.*@/ ) {
> (991)       if (&User-Name =~ /@.*@/ )  -> FALSE
> (991)       if (&User-Name =~ /\.\./ ) {
> (991)       if (&User-Name =~ /\.\./ )  -> FALSE
> (991)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (991)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (991)       if (&User-Name =~ /\.$/)  {
> (991)       if (&User-Name =~ /\.$/)   -> FALSE
> (991)       if (&User-Name =~ /@\./)  {
> (991)       if (&User-Name =~ /@\./)   -> FALSE
> (991)     } # policy filter_username = notfound
> (991)     [preprocess] = ok
> (991)     if (Called-Station-ID =~ /:SSID-Here$/) {
> (991)     if (Called-Station-ID =~ /:SSID-Here$/)  -> TRUE
> (991)     if (Called-Station-ID =~ /:SSID-Here$/)  {
> (991)       policy rewrite_calling_station_id {
> (991)         if (Calling-Station-Id =~
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
> (991)         if (Calling-Station-Id =~
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
> -> TRUE
> (991)         if (Calling-Station-Id =~
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
> {
> (991)           update request {
> (991)             EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
> (991)                --> bc-ee-7b-a3-6d-d9
> (991)             Calling-Station-Id := bc-ee-7b-a3-6d-d9
> (991)           } # update request = noop
> (991)         } # if (Calling-Station-Id =~
> /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
> = noop
> (991)         ... skipping else for request 991: Preceding "if" was taken
> (991)       } # policy rewrite_calling_station_id = noop
> (991)       if (!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac
> = '%{Calling-Station-ID}' = 1}"){
> rlm_sql (sql_mac): Reserved connection (13)
> (991)       Executing select query: SELECT COUNT(*) FROM wifi.macaddress
> WHERE mac = 'bc-ee-7b-a3-6d-d9' = 1
> rlm_sql (sql_mac): Released connection (13)
> (991)       EXPAND %{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE
> mac = '%{Calling-Station-ID}' = 1}
> (991)          --> 0
> (991)       if (!"%{sql_mac:SELECT COUNT(*) FROM wifi.macaddress WHERE mac
> = '%{Calling-Station-ID}' = 1}") -> FALSE
> (991)     } # if (Called-Station-ID =~ /:SSID-Here$/)  = noop
> (991)     [mschap] = noop
> (991)     if (!EAP-Message) {
> (991)     if (!EAP-Message)  -> FALSE
> (991) eap: Peer sent EAP Response (code 2) ID 184 length 6
> (991) eap: Continuing tunnel setup
> (991)     [eap] = ok
> (991)   } # authorize = ok
>
>

More information about the Freeradius-Users mailing list