Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

convert mac adresses to lower case

365 views
Skip to first unread message

PENZ Robert

unread,
Sep 20, 2010, 8:11:14 AM9/20/10
to
Hi!

I'm running

# rpm -qa | grep radius
freeradius2-mysql-2.1.7-7.el5
freeradius2-2.1.7-7.el5
freeradius2-python-2.1.7-7.el5
freeradius2-utils-2.1.7-7.el5

and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following:

rlm_sql (sql): Released sql socket id: 1
+++[sql] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "0025B3A013AA"
[pap] Using clear text password "0025b3a013aa"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.

I tried to remove pap but then I get following

+++[sql] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match "known good" password.
Failed to authenticate the user.

Hope someone can help me. Thx!

Mit freundlichen Grüßen
Robert Penz

----------------------------------------------------
Dipl. Inf. Robert Penz
DVT-Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 512 508 3334 / Fax: +43 512 508 3355
eMail: rober...@tirol.gv.at


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

iron...@yahoo.com

unread,
Sep 20, 2010, 9:26:20 AM9/20/10
to
I beieve there is a lower() function you can use in the sql statement.
Sent from Verizon Wireless

PENZ Robert

unread,
Sep 20, 2010, 10:01:48 AM9/20/10
to
Hi!

But thats not the problem. The mac address matches in the SQL statement but I need also to return the mac address to the radius. In this reply the mac address is lower case. And now the radius checks that against its upper case version it gets from the switch. I cannot return the mac always upper case as it would not work with the switches which send the mac lower case. I hope this makes sense.


Mit freundlichen Grüßen
Robert Penz

-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+robert.penz=tirol...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol...@lists.freeradius.org] Im Auftrag von iron...@yahoo.com
Gesendet: Montag, 20. September 2010 15:26
An: FreeRadius users mailing list
Betreff: Re: convert mac adresses to lower case

Alexander Clouter

unread,
Sep 20, 2010, 9:51:49 AM9/20/10
to
PENZ Robert <ROBER...@tirol.gv.at> wrote:
>
> and I've different switch types. Some send the MAC address lower case
> the others upper case. For switches which send it lower it case it
> works (as the macs are stored lower case in the db). How can I convert
> them all in the clear text password attribute to lower case? The
> attr_rewrite module looks good, but the only way I see is to have 6
> rewrite rules each replacing one letter, but that seems inefficient.
> The matching in the SQL Database works case insensitive and returns a
> row but the pap check logs following:
>
Do the mac-auth via unlang and not PAP.
----
policy {
...

mac_auth {
if (Realm == NULL && !(EAP-Message) && NAS-Port-Type == Ethernet \
&& Service-Type == Call-Check \
&& User-Name == "%{User-Password}" \
&& User-Name =~ /^[0-9a-f]{12}$/i \
&& Calling-Station-Id =~ /^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i \
&& User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i) {
ok
}
else {
noop
}
}

...
}

authorize {
...

mac_auth
if (ok) {
update control {
Auth-Type := Accept
}

# 'handled' does not work here
ok = return
}

...
}
----

You might need to tweak the policy{} rule to meet your local needs; the
above is what I use for our Cisco switches. You could tweak the above
so that 'mac_auth' sets 'Cleartext-Password = "%{User-Password}"' but
I personally cannot see the reason to bother when you can just skip
authenticate{} completely.

If you really do need to lowercase something, the only way to do it
really is to use 'exec' and call 'tr A-F a-f', nasty but it works.

Cheers

--
Alexander Clouter
.sigmonster says: Don't guess -- check your security regulations.

Johan Meiring

unread,
Sep 20, 2010, 10:40:51 AM9/20/10
to
On 2010/09/20 04:01 PM, PENZ Robert wrote:
> Hi!
>
> But thats not the problem. The mac address matches in the SQL statement but I need also to return the mac address to the radius. In this reply the mac address is lower case. And now the radius checks that against its upper case version it gets from the switch. I cannot return the mac always upper case as it would not work with the switches which send the mac lower case. I hope this makes sense.
>


Search this list.
The question was asked about 2 months ago.
It was answered.

--


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

Leander S.

unread,
Sep 20, 2010, 10:44:13 AM9/20/10
to
Am 20.09.10 15:51, schrieb Alexander Clouter:

> PENZ Robert<ROBER...@tirol.gv.at> wrote:
>> and I've different switch types. Some send the MAC address lower case
>> the others upper case. For switches which send it lower it case it
>> works (as the macs are stored lower case in the db). How can I convert
>> them all in the clear text password attribute to lower case? The
>> attr_rewrite module looks good, but the only way I see is to have 6
>> rewrite rules each replacing one letter, but that seems inefficient.
>> The matching in the SQL Database works case insensitive and returns a
>> row but the pap check logs following:
>>
> Do the mac-auth via unlang and not PAP.
> ----
> policy {
> ...
>
> mac_auth {
> if (Realm == NULL&& !(EAP-Message)&& NAS-Port-Type == Ethernet \
If your using SQL then I would simply modify the SQL querry to INSERT
everything in lower case only PLUS to SELECT everything in lowercase
only. You can simply modify those querries afaik. I just figured that as
well and it made my live WAY easier - but I used it for my MailServer
configuration - and it works perfect - no matter whether its PostgreSQL
(which I'm using), or MySQL ... even others such as Oracle, etc. offer
those functions.

Alexander Clouter

unread,
Sep 20, 2010, 10:20:59 AM9/20/10
to
iron...@yahoo.com wrote:
>
> I beieve there is a lower() function you can use in the sql statement.
>
That sort of talk belongs over on the DWTF :)

Cheers

--
Alexander Clouter
.sigmonster says: Biz is better.

Phil Mayers

unread,
Sep 20, 2010, 4:20:08 PM9/20/10
to
On 09/20/2010 03:44 PM, Leander S. wrote:
> If your using SQL then I would simply modify the SQL querry to INSERT
> everything in lower case only PLUS to SELECT everything in lowercase
> only. You can simply modify those querries afaik. I just figured that as

That is not what is being asked.

The OP has two types of switches; one is sending:

User-Name = aabbccddeeff
User-Password = aabbccddeeff

The other is sending:

User-Name = AABBCCDDEEFF
User-Password = AABBCCDDEEFF

Sprinkling your SQL statements with "lower()" function calls doesn't fix
this. Alex's advice is correct; simply write an unlang policy to do:

authorize {
...check mac address then


update control {
Auth-Type := Accept
}
}

Actually *running* the PAP module against a macauth request is pointless.

0 new messages