modify NAS-Port in incoming messages

Volodymyr Litovka doka at
Mon Dec 26 18:32:23 UTC 2022

Hi Alan,

On 26.12.2022 15:26, Alan DeKok wrote:
>    You can rewrite the NAS-Port to any value you want.  But that rewrite has to make sense, and has to follow the documentation on how the server works.
>    The problem here is that StrongSwan is sending the server garbage data, and you're trying to figure out a way to "fix" it in FreeRADIUS.  While this might work sometimes, it's not really a long-term solution.  The correct fix is to make StrongSwan behave properly.

Yes, of course, I will talk to Strongswan developers as well, but at the 
moment the fastest way is to use FreeRadius to do the job.

>    I'd suggest this:
> preacct {
> 	update request {
> 		Tmp-Octets-0 := "%{md5:%{Acct-Session-ID}%{User-Name}"
> 		NAS-Port := %{integer:Tmp-Octets-0}
> 	}
> 	...

I tried with this:

         update request {
                 Tmp-Octets-0 := "%{md5:%{Acct-Session-ID}}"
                 NAS-Port := "%{integer:Tmp-Octets-0}"

and received the following errors: "ERROR: Type 'octets' of length 32 
cannot be converted to integer" which is correct because md5 produces 
128 bits while documentation says that integer operates with 64-bit 
values, but this code:

         update request {
                 Tmp-Octets-0 := "%{md5:%{Acct-Session-ID}}"
                 Tmp-Octets-1 := "%{lpad:&Tmp-Octets-0 19}"
                 NAS-Port := "%{integer:Tmp-Octets-1}"

does the job - it truncates md5 hash to 64-bit representation which can 
be converted to integer. The result is:

root at vpn01:/etc/freeradius/3.0# radwho -r
doka,doka,shell,S859124016,Mon 17:40,,

Thanks, Alan, for the quick help! Very appreciate!

Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

More information about the Freeradius-Users mailing list