Authentication issues

Alan DeKok aland at
Fri Jun 3 14:51:57 UTC 2022

On Jun 3, 2022, at 10:43 AM, David le Roux <david.leroux at> wrote:
>> The "invalid user" message is correct.  The MAC address in the User-Name isn't found in the "authorized_macs" list.  Note that it does it's lookup by exact string match.  So check that the MAC address is listed, and has exactly the same format.
> I've checked an the mac is certainly there in lower case.

   OK, that's good.

> However I notice this in the debug:
>> (2)         update request {
>> (2)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
>> (2)              --> 08-00-0F-82-64-F0
> I can't find anywhere in the config a command to make it upper case (though several "to lower"). Do I need to make my entire list upper case or am I missing a config option?

  "tolower" works instead of "toupper".  Just edit the rewrite_calling_station_id policy (policy.d/canonicalize) to use "tolower" instead of "toupper"

  Whatever you choose, you MUST choose a consistent setup.  The lookups in the "authorized_macs" list are doing an exact string match.  So you need to ensure that all of the entries are all either lowercase, or all uppercase.  And then use the rewrite_calling_station_id policy to mash the attribute in the packet to the matching case.

  Oh, and that policy is there because NAS vendors send MAC addresses in a variety of formats.  00:01:02:04:04:04, or using dashes, or just hex all mashed together.  The policy re-writes that to a sane format (00-01-03-04...).  Again, you have to ensure that the authorized_macs file contains this exact format.

  That way when you either buy a new NAS (which uses a different format), or the NAS firmware updates (and changes to a different format), you won't run into this issue again.  The policy will just automagically fix things, and it will be fine.

  Alan DeKok.

More information about the Freeradius-Users mailing list