Authentication issues

David le Roux david.leroux at
Fri Jun 3 15:10:54 UTC 2022

Thanks, I hadn't looked in policy.d/canonicalize.

David le Roux

-----Original Message-----
From: Freeradius-Users < at> On Behalf Of Alan DeKok
Sent: 03 June 2022 15:52
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Authentication issues

On Jun 3, 2022, at 10:43 AM, David le Roux <david.leroux at> wrote:
>> The "invalid user" message is correct.  The MAC address in the User-Name isn't found in the "authorized_macs" list.  Note that it does it's lookup by exact string match.  So check that the MAC address is listed, and has exactly the same format.
> I've checked an the mac is certainly there in lower case.

   OK, that's good.

> However I notice this in the debug:
>> (2)         update request {
>> (2)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
>> (2)              --> 08-00-0F-82-64-F0
> I can't find anywhere in the config a command to make it upper case (though several "to lower"). Do I need to make my entire list upper case or am I missing a config option?

  "tolower" works instead of "toupper".  Just edit the rewrite_calling_station_id policy (policy.d/canonicalize) to use "tolower" instead of "toupper"

  Whatever you choose, you MUST choose a consistent setup.  The lookups in the "authorized_macs" list are doing an exact string match.  So you need to ensure that all of the entries are all either lowercase, or all uppercase.  And then use the rewrite_calling_station_id policy to mash the attribute in the packet to the matching case.

  Oh, and that policy is there because NAS vendors send MAC addresses in a variety of formats.  00:01:02:04:04:04, or using dashes, or just hex all mashed together.  The policy re-writes that to a sane format (00-01-03-04...).  Again, you have to ensure that the authorized_macs file contains this exact format.

  That way when you either buy a new NAS (which uses a different format), or the NAS firmware updates (and changes to a different format), you won't run into this issue again.  The policy will just automagically fix things, and it will be fine.

  Alan DeKok.

List info/subscribe/unsubscribe? See

Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH

Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.

Miller Homes Limited <>

More information about the Freeradius-Users mailing list