attr_rewrite issues
Hello FreeRadius list: I'm having difficulty getting the attr_rewrite module to do...well, anything. I have a working RADIUS installation validating off of a mySQL database. Our existing NASs (Wireless APs) transmit mac addresses as 12 character lower case letter/number combos - this corresponds to username within RADIUS. A new NAS device is transmitting mac addresses in caps, with a colon between each octet. I am trying to filter the attributes coming from the new NAS so that they are of the correct format in our mySQL database. I have already gotten the case issue solved by making the following change in radiusd.conf: lower_user = before What I can't get to work: I have placed the following in radiusd.conf, just under the commented-out example of attr_rewrite concerning sanecallerid attr_rewrite mac_colons { attribute = User-Name searchin = packet searchfor = : replacewith = ignore_case = yes new_attribute = no max_matches = 10 append = no } However, as I said, I don't see any indication that the RADIUS server is doing anything of the kind. This is the debug output, concerning an auth request from the new type of NAS: rad_recv: Access-Request packet from host 10.35.0.30:1034, id=50, length=60 Service-Type = Framed-User NAS-Port-Id = wlan1 User-Name = 00:0A:E9:06:29:07 User-Password = NAS-IP-Address = 10.35.0.30 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00:0a:e9:06:29:07' ORDER BY id rlm_sql (sql): User 00:0a:e9:06:29:07 not found in radcheck Note how the User-Name comes into RADIUS as all caps, but is in lower case when it's checked against the db, this is the result of the lower_user = before command I mentioned previously. However, the attr_rewrite command doesn't appear to be functioning at all. I've tried several different syntaxes slightly different from the one listed above with no luck. Looking further around radiusd.conf, I saw the authorize section at the bottom of the file (thinking that I had to load the module, just as preprocess apparently has to be loaded): authorize { preprocess # auth_log # attr_filter attr_rewrite However, having attr_rewrite uncommented as it is above causes an error on load: Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) ERROR: Cannot find a configuration entry for module attr_rewrite. After which is returns to the command prompt (without loading the server). I don't really understand the error message on its face, as I would have thought the attr_rewrite mac_colons section I listed earlier in the file would be the configuration entry that the error output says it can't find. So...if anyone can get me any advice re: how to check the functionality of the attr_rewrite module I'd appreciate it. Thank you - Brian Ammons - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attr_rewrite issues
Hello FreeRadius list: I'm having difficulty getting the attr_rewrite module to do...well, anything. I have a working RADIUS installation validating off of a mySQL database. Our existing NASs (Wireless APs) transmit mac addresses as 12 character lower case letter/number combos - this corresponds to username within RADIUS. A new NAS device is transmitting mac addresses in caps, with a colon between each octet. I am trying to filter the attributes coming from the new NAS so that they are of the correct format in our mySQL database. I have already gotten the case issue solved by making the following change in radiusd.conf: lower_user = before What I can't get to work: I have placed the following in radiusd.conf, just under the commented-out example of attr_rewrite concerning sanecallerid attr_rewrite mac_colons { attribute = User-Name searchin = packet searchfor = : replacewith = ignore_case = yes new_attribute = no max_matches = 10 append = no } However, as I said, I don't see any indication that the RADIUS server is doing anything of the kind. This is the debug output, concerning an auth request from the new type of NAS: rad_recv: Access-Request packet from host 10.35.0.30:1034, id=50, length=60 Service-Type = Framed-User NAS-Port-Id = wlan1 User-Name = 00:0A:E9:06:29:07 User-Password = NAS-IP-Address = 10.35.0.30 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00:0a:e9:06:29:07' ORDER BY id rlm_sql (sql): User 00:0a:e9:06:29:07 not found in radcheck Note how the User-Name comes into RADIUS as all caps, but is in lower case when it's checked against the db, this is the result of the lower_user = before command I mentioned previously. However, the attr_rewrite command doesn't appear to be functioning at all. I've tried several different syntaxes slightly different from the one listed above with no luck. Looking further around radiusd.conf, I saw the authorize section at the bottom of the file (thinking that I had to load the module, just as preprocess apparently has to be loaded): authorize { preprocess # auth_log # attr_filter attr_rewrite However, having attr_rewrite uncommented as it is above causes an error on load: Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) ERROR: Cannot find a configuration entry for module attr_rewrite. After which is returns to the command prompt (without loading the server). I don't really understand the error message on its face, as I would have thought the attr_rewrite mac_colons section I listed earlier in the file would be the configuration entry that the error output says it can't find. So...if anyone can get me any advice re: how to check the functionality of the attr_rewrite module I'd appreciate it. Thank you - Brian Ammons Its because you defined the name of the module as mac_colons. Change attr_rewrite to mac_colons in your authorize section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUCCESS, now User-Password...was RE: attr_rewrite issues
So...if anyone can get me any advice re: how to check the functionality of the attr_rewrite module I'd appreciate it. Thank you - Brian Ammons Its because you defined the name of the module as mac_colons. Change attr_rewrite to mac_colons in your authorize section. That worked, exactly as advertised. Thank you very, very much. But I have another problem, that I tried to solve but took down all our other NASs instead...I googled and searched the archive but I couldn't find the answer... The new NAS does not transmit a password along with the username, as illustrated below: rad_recv: Access-Request packet from host 10.35.0.30:1034, id=50, length=60 Service-Type = Framed-User NAS-Port-Id = wlan1 User-Name = 00:0A:E9:06:29:07 User-Password = NAS-IP-Address = 10.35.0.30 In our AuthDB, every username (the 12 digit mac, no colons) has a password that exactly matches the username. I tried to do this (and correctly loaded the module this time, thanks again to Dustin Doris): #attr_rewrite blank_password { # attribute = User-Password # searchin = packet # searchfor = # replacewith = User-Name # ignore_case = yes # new_attribute = no # max_matches = 10 # append = no #} However, as I mentioned, that totally broke every other Auth-Request in addition to not validating the new NAS Auth-Request in question. So my boolean would be, IF an Auth-Request comes in (??from a particlar client? or from a particular shortname defined in clients.conf? or would it be with a blank password) THEN replace User-Password with (no colons, all lowercase) User-Name. OR would I replace it with the User-Name as passed from the NAS and then operate on the password? Thanks again for the assistance: Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html