Authentication issues

David le Roux david.leroux at miller.co.uk
Fri Jun 3 15:10:54 UTC 2022 

Thanks, I hadn't looked in policy.d/canonicalize.

David le Roux


-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+david.leroux=miller.co.uk at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: 03 June 2022 15:52
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Authentication issues

On Jun 3, 2022, at 10:43 AM, David le Roux <david.leroux at miller.co.uk> wrote:
>> The "invalid user" message is correct.  The MAC address in the User-Name isn't found in the "authorized_macs" list.  Note that it does it's lookup by exact string match.  So check that the MAC address is listed, and has exactly the same format.
>
> I've checked an the mac is certainly there in lower case.

   OK, that's good.

> However I notice this in the debug:
>> (2)         update request {
>> (2)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
>> (2)              --> 08-00-0F-82-64-F0
>
> I can't find anywhere in the config a command to make it upper case (though several "to lower"). Do I need to make my entire list upper case or am I missing a config option?

  "tolower" works instead of "toupper".  Just edit the rewrite_calling_station_id policy (policy.d/canonicalize) to use "tolower" instead of "toupper"

  Whatever you choose, you MUST choose a consistent setup.  The lookups in the "authorized_macs" list are doing an exact string match.  So you need to ensure that all of the entries are all either lowercase, or all uppercase.  And then use the rewrite_calling_station_id policy to mash the attribute in the packet to the matching case.

  Oh, and that policy is there because NAS vendors send MAC addresses in a variety of formats.  00:01:02:04:04:04, or using dashes, or just hex all mashed together.  The policy re-writes that to a sane format (00-01-03-04...).  Again, you have to ensure that the authorized_macs file contains this exact format.

  That way when you either buy a new NAS (which uses a different format), or the NAS firmware updates (and changes to a different format), you won't run into this issue again.  The policy will just automagically fix things, and it will be fine.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See https://gbr01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cdavid.leroux%40miller.co.uk%7C76b48fb8011d42ee778208da4570ad3b%7Ca5609eb2409545a8bb4668573bbb0f92%7C1%7C0%7C637898647482974306%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Jqc1FI5APq9zkLVJ2RLkCiIw1s5IsTsupiehBGmE5gM%3D&reserved=0
________________________________


Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH

Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.

Miller Homes Limited <https://www.millerhomes.co.uk>

More information about the Freeradius-Users mailing list