modify NAS-Port in incoming messages
Volodymyr Litovka
doka at funlab.cc
Mon Dec 26 18:32:23 UTC 2022
Hi Alan,
On 26.12.2022 15:26, Alan DeKok wrote:
> You can rewrite the NAS-Port to any value you want. But that rewrite has to make sense, and has to follow the documentation on how the server works.
>
> The problem here is that StrongSwan is sending the server garbage data, and you're trying to figure out a way to "fix" it in FreeRADIUS. While this might work sometimes, it's not really a long-term solution. The correct fix is to make StrongSwan behave properly.
Yes, of course, I will talk to Strongswan developers as well, but at the
moment the fastest way is to use FreeRadius to do the job.
> I'd suggest this:
>
> preacct {
> update request {
> Tmp-Octets-0 := "%{md5:%{Acct-Session-ID}%{User-Name}"
> NAS-Port := %{integer:Tmp-Octets-0}
> }
>
> ...
I tried with this:
update request {
Tmp-Octets-0 := "%{md5:%{Acct-Session-ID}}"
NAS-Port := "%{integer:Tmp-Octets-0}"
}
and received the following errors: "ERROR: Type 'octets' of length 32
cannot be converted to integer" which is correct because md5 produces
128 bits while documentation says that integer operates with 64-bit
values, but this code:
update request {
Tmp-Octets-0 := "%{md5:%{Acct-Session-ID}}"
Tmp-Octets-1 := "%{lpad:&Tmp-Octets-0 19}"
NAS-Port := "%{integer:Tmp-Octets-1}"
}
does the job - it truncates md5 hash to 64-bit representation which can
be converted to integer. The result is:
root at vpn01:/etc/freeradius/3.0# radwho -r
doka,doka,shell,S859124016,Mon 17:40,xxx.xxx.xx.xx,100.100.2.1
Thanks, Alan, for the quick help! Very appreciate!
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
More information about the Freeradius-Users
mailing list