Two different sources, one with a single value

Alan DeKok aland at ox.org
Thu Sep 15 22:53:55 CEST 2005


Martin.Ward at uk.neceur.com wrote:
> Using the above example, the system that passes the MAC
> address in to find out if it's valid passes the MAC address in both the
> User-Name and User-Password fields.

  Uh, no.

> >>         passwd mac_address {
> >>                 filename = /var/mac_addresses
> >>                 format = "*User-Name"

  There's no "User-Password" field there, so it can't check that.  And
the passwd module doesn't do enforcement checking, it's just a lookup
table.

> I was hoping to be able to get away with just authenticating against
> the User-Name and having just one field in the table,

  Sure, but then you've got to set Auth-Type := Accept.

> As for authorizing, surely for the MAC address checking I don't need
> to have an authorize section, the authenticate section verifies if
> the MAC address is in the table or not and if it is, it passes it
> in?

  No.  The "passwd" module runs in the authorization section.

> Then again, if I am authenticating against the MAC address and then
> authorizing against the unix login ID and password, does this mean a given
> user has to be in BOTH tables to gain access?

  You have "authorization" and "authentiction" inverted in the above example.

  Alan DeKok.




More information about the Freeradius-Users mailing list