freeradius and ADSL-Agent-Circuit-Id

Tim Sylvester tim.sylvester at networkradius.com
Thu Jul 29 01:31:37 CEST 2010 

Try the following:

Add this to the top of the Authorize section:

authorize {

        if ADSL-Agent-Circuit-Id {
                update request {
                        User-Name     := "%{ADSL-Agent-Circuit-Id}"
                        User-Password := "%{ADSL-Agent-Circuit-Id}"
                }
        }


Then, add the Circuit-IDs to radcheck:


mysql> select * from radcheck where username = "circuit-123";
+--------+-------------+-----------------------+----+-------------+
| id     | username    | attribute             | op | value       |
+--------+-------------+-----------------------+----+-------------+
| 226536 | circuit-123 | ADSL-Agent-Circuit-Id | == | circuit-123 |
| 226537 | circuit-123 | Cleartext-Password    | := | circuit-123 |
+--------+-------------+-----------------------+----+-------------+
2 rows in set (0.00 sec)



Then run a test to make sure that when using the Circuit-Id to authenticate
the device, the ADSL-Agent-Circuit-Id must be in the request.

[root at sparky performance]# cat circuit-id.rad

User-Name = "test"
User-Password = "FreeRADIUS"

User-Name = "circuit-123"
User-Password = "circuit-123"

User-Name = ""
ADSL-Agent-Circuit-Id ="circuit-123"

User-Name = "void"
ADSL-Agent-Circuit-Id ="circuit-123"

[root at sparky performance]#
[root at sparky performance]# radclient -f circuit-id.rad localhost auth
FreeRADIUS
Received response ID 81, code 2, length = 20
Received response ID 165, code 3, length = 20
Received response ID 157, code 2, length = 20
Received response ID 119, code 2, length = 20
[root at sparky performance]#


Tim


> -----Original Message-----
> From: freeradius-users-
> bounces+tim.sylvester=networkradius.com at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+tim.sylvester=networkradius.com at lists.freeradius.org] On Behalf
> Of Mike
> Sent: Wednesday, July 28, 2010 3:37 PM
> To: FreeRadius users mailing list
> Subject: Re: freeradius and ADSL-Agent-Circuit-Id
>
>
>
> Johan Meiring wrote:
> > On 2010/07/21 11:00 AM, Alan DeKok wrote:
> >>
> >> authorize {
> >>     ...
> >>     if (ADSL-Agent-Circuit-Id&&  \
> >>         ("%{sql: select ...}")) {
> >>         update control {
> >>             Auth-Type := Accept
> >>         }
> >>
> >>     }
> >>     else {
> >>         reject
> >>     }
> >>
> >> }
> >>
> >
> > I disagree with the logic slightly.
> > In my opinion it will also be rejected if ADSL-Agent-Circuit-Id does
> > not exist.
> >
> > As fas as I understand, the desireable result is:
> > If the ADSL-Agent-Circuit-Id does *not* exist, normal authentication
> > must happen.
> > If it *does* exist, accept or reject, depending on its value.
> >
> > Would this not work better?
> >
> > authorize {
> >     ...
> >     if (ADSL-Agent-Circuit-Id) {
> >         if ("%{sql: select ...}") {
> >             update control {
> >                 Auth-Type := Accept
> >             }
> >         }
> >         else {
> >             reject
> >         }
> >     }
> > }
> >
> >
> >
> I have been attempting to implement this advice. I can use a 'select
> count(*)' sql query and based on wether the value is 1, I can then set
> Auth-Type := Accept just like it's written above. But, there's
> additional processing that is desireable that I just can't figure out
> how to do here. Instead of just blindly setting Accept, I might want to
> proceed with having the sql module do group processing and so forth to
> finally accumulate all of the reply attributes that apply to this
> request. Maybe that reply is 'Auth-Type := Reject" but then others
> contain 'Accept' along with framed-ip-address and so forth. This would
> involve using a modified sql query in the event that
> ADSL-Agent-Circuit-Id is present, and there doesn't appear to be any
> way
> at run time to make that selection.
>
> I am getting the impression that perhaps I need to run maybe a second
> server that has it's sql configured with queries tailored for the
> presence of this attribute, and then proxy requests from the primary
> server to this one in this case. I could probably run it on lookback on
> another port so that the radius clients don't have to know anything
> about it. Still it's a bit of work but that seems to be the only way
> possible to make sql query one database if the attribute is present,
> and
> query another if it's not (or, use different queries).
>
> Would love more insight if anyone cares to share.
>
> Thank you.
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list