freeradius and ADSL-Agent-Circuit-Id

Johan Meiring jmeiring at pcservices.co.za
Wed Jul 21 08:56:01 CEST 2010


On 2010/07/20 10:50 PM, Mike wrote:
>> authorize {
>>
>> if %{ADSL-Agent-Circuit-Id} {
>> update request {
>> User-Name := "%{ADSL-Agent-Circuit-Id}"
>> Password := "%{ADSL-Agent-Circuit-Id}"
>> }
>> }
>>
>> Make sure that to add the User-Name (ADSL-Agent-Circuit-Id) to
>> radcheck and
>> set the password to the value of ADSL-Agent-Circuit-Id.
>>
>> +--------+-----------+--------------------+----+-----------+
>> | id | username | attribute | op | value |
>> +--------+-----------+--------------------+----+-----------+
>> | 226529 | adslagent | Cleartext-Password | := | adslagent |
>> +--------+-----------+--------------------+----+-----------+
> This opens up a security hole I wish to avoid - if someone knows what my
> circuit Id's look like, and that database is used in any context where a
> user can send an id/password to authenticate that does NOT have
> ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user
> id's for the bad guys to use. I am happy having a non-default sql
> database schema but I think I really need the sql lookup to be being
> based on ADSL-Agent-Circuit-Id and not User-Name.
>
> Mike-
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

How about this:

I'm 100% sure my syntax is wrong today (I'm not an unlang master yet), but
the idea should work.

Opinions?


authorize {
	if %{ADSL-Agent-Circuit-Id} {
		if (%{sql: select count(*) from CircuitIdList where 
CircuitId='%{ADSL-Agent-Circuit-Id}'} > 1)
		{
			Auth-Type = Accept
		}
		else
		{
			Auth-Type = Reject
	}
}

-- 


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782




More information about the Freeradius-Users mailing list