[authorized_macs.authorize] returns noop
Alexander Clouter
alex at digriz.org.uk
Thu Jan 6 18:48:21 CET 2011
Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
>> I think it's Arran who maintains that page, however the
>> rewrite_calling_station_id looks like it was palmed off me at some
>> stage. That *is* needed unless you are quite-quite-mad and enjoy twenty
>> different representations for your MAC addresses in your databases :)
>
> Sure; we have something similar
>
> We *actually* abuse Postgres' macaddr datatype by doing this:
>
Goddamnit, first I discover all the CIDR bits and think how great that
is, but I never thought to look if there was a MAC address one.
> update request {
> Calling-Station-Id = "%{sql:select '%{Calling-Station-Id}'::macaddr}"
> }
>
Not quite there, but it could be IC's entry for the DWTF? ;P
On a serious note, that is going to be a ballache if your SQL server
goes walkies...
> ...which handles all the various cases quite nicely, but returns
> Postgres' :-separated version, which is fine (and what we prefer).
>
My brain prefers ':', however '-' was in an RFC I read some time back
when reading about Called-Station-Id's and SSID's:
http://tools.ietf.org/html/rfc3580#section-3.20
>>> Anyone who wrote the page, and why it uses that method?
>>>
>> The page looks fine to me, is it the enforcing and checking for RFCness
>
> *What* RFCness?
>
Apparently, guessing this is Aaran spending too much absorbing the IETF
website, RFC2865 says "though shalt use 'Call-Check' for mac-auth", I
have not read it myself.
>> that seems overkill to you? Cisco switches use PAP instead of CHAP, but
>> other than that whats the problem?
>
> I've never seen a mac-auth implementation sending CHAP requests, which
> seems like lunacy, so have never considered there might be a need to
> execute the "authenticate" section, or synthesise a Cleartext-Password.
>
...but this is what makes HP special :)
http://wiki.freeradius.org/index.php?title=HP#Mac-Based
I agree, is is rather daft, I'm surprised User-Password even appears for
a PAP approach.
> But even so, I don't see the value in executing a modules .authorize
> handler in the post-auth section, or having a whole separate Auth-Type
> value.
>
Right, this I agree with, I nuke the request in authorize too.
> Shrug. Not a big deal really. To each his own.
>
Many ways to skin this cat...
Cheers
--
Alexander Clouter
.sigmonster says: Really?? What a coincidence, I'm shallow too!!
More information about the Freeradius-Users
mailing list