Converting MAC address formats

Alan DeKok aland at deployingradius.com
Sat Apr 19 17:28:39 UTC 2025 

On Apr 19, 2025, at 12:48 PM, Mike Diggins <diggins at mcmaster.ca> wrote:
> I'm using MAC address authentication against a FreeRADIUS Version 3.0.20 (RHEL8) server. My WLAN controller sends the MAC in the format 2c-7b-a0-2f-bb-f1 but FR seems to convert it to 2c7ba02fbbf1.

  See the debug output.  It tells you when it's rewriting the MAC.

  The default policy to do this is in raddb/policy.d/canonicalization, rewrite_called_station_id and rewrite_calling_station_id.  They're called from the "default" virtual server.

> My SQL database has the MACs in the 2c-7b-a0-2f-bb-f1 format. I added this to sites-enabled/default in the authorize section. I've tried many formats but can't seem to get it right. Can it be fixed or am I crazy and should just update the database with the expected format?

  What do you mean "tried different formats"?  If you don't want the Calling-Station-Id and Called-Station-Id attributes to be modified, then edit the "default" virtual server.  Delete the calls to the policies which do the rewriting.

>    # Check if User-Name is a MAC address in the correct format
>    if ("%{User-Name}" =~ /^([0-9A-Fa-f:-]{12,17})$/) {

  I don't understand why so many people do string expansions like that.  The examples and default configuration shows that you can just do:

	if (&User-Name =~ /..../) {

>        update request {
>            # Convert to lowercase (optional)
>            Tmp-String-0 := "%{tolower:%{User-Name}}"
> 
>            # Remove non-alphanumeric characters (colons, dashes) using expr
>            Tmp-String-1 := "%{expr:%{Tmp-String-0}:s/[-:]//g}"

  No?  What documentation says that the "expr" function can so s/text/replace/ ??  It can't.  The documentation says the the expr function handles expressions, and math.

  If you want to see how to do regular expression matching and rewriting of attributes, see  raddb/policy.d/canonicalization, rewrite_called_station_id and rewrite_calling_station_id. 

>            # Assign cleaned MAC address to User-Name
>            User-Name := "%{Tmp-String-1}"
>        }
>    }
> 
> The debug output is:
> 
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "2c7ba02fbbf1", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0)     if ("%{User-Name}" =~ /^([0-9A-Fa-f:-]{12,17})$/) {
> (0)     EXPAND %{User-Name}
> (0)        --> 2c7ba02fbbf1
> (0)     if ("%{User-Name}" =~ /^([0-9A-Fa-f:-]{12,17})$/)  -> TRUE
> (0)     if ("%{User-Name}" =~ /^([0-9A-Fa-f:-]{12,17})$/)  {
> (0)       update request {
> (0)         EXPAND %{tolower:%{User-Name}}
> (0)            --> 2c7ba02fbbf1
> (0)         Tmp-String-0 := 2c7ba02fbbf1
> (0)         Expected operator at "c7ba02fbbf1:s/[-:]//g"

  Exactly.  You invented some syntax for the expr function, and it has no idea what you mean.  Don't do that.

  Start with the examples I pointed to above.  It should be quick and easy to do the rewrites.

  Alan DeKok.

More information about the Freeradius-Users mailing list