diff --git a/raddb/policy.d/canonicalization b/raddb/policy.d/canonicalization index 7fab6b305d3d..4e4ec18d32aa 100644 --- a/raddb/policy.d/canonicalization +++ b/raddb/policy.d/canonicalization @@ -10,7 +10,7 @@ # compliant regexp without perl style regular expressions (or # at least not a legible one). # -nai_regexp = "^([^@]*)(@([-[:alnum:]]+\\.[-[:alnum:].]+))?$" +nai_regexp = '^([^@]*)(@([-[:alnum:]]+\\.[-[:alnum:].]+))?$' split_username_nai { if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)){ @@ -48,16 +48,19 @@ split_username_nai.post-proxy { # # Normalize the MAC Addresses in the Calling/Called-Station-Id # -mac-addr-regexp = ([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2}) +mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})" # # Add "rewrite_called_station_id" in the "authorize" and # "preacct" sections. # +# Makes Called-Station-ID conform to what RFC3580 says should +# be provided by 802.1X authenticators. +# rewrite_called_station_id { - if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}(:(.+))?$/i)) { + if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { update request { - &Called-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } # SSID component? @@ -77,10 +80,13 @@ rewrite_called_station_id { # Add "rewrite_calling_station_id" in the "authorize" and # "preacct" sections. # +# Makes Calling-Station-ID conform to what RFC3580 says should +# be provided by 802.1X authenticators. +# rewrite_calling_station_id { if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { update request { - &Calling-Station-Id := "%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" } updated }