Nas-Port-Id as username.

Alan DeKok aland at deployingradius.com
Wed Apr 25 16:11:20 CEST 2012


Xbert_badstuber wrote:
> The ACS requires a USERNAME and there is not a way to manipulate the
> User-Name value once it is received.   

  Ugh.  Use a real RADIUS server. :)

> We heard that it could be possible to use the freeradius to act as a proxy
> for the Cisco secure ACS. 
> 
> This is what we want: 
> 
> User --> [SR] --> User-Name = “MAC:xx.xx.xx.xx” Password = “secret”
> NAS-Port-Id = 1/1/4.1001.129 --> [FR] --> User-Name = “1/1/4.1001.129”
> Password = “secret” --> [ACS 5.3] 
> 
> Is there a solution for this option in the Freeradius? 

  Yes.  "man unlang".  You can update any attribute to have any value.

> Is there a way to manipulate the User-Name sent from the service router,
> (MAC address), and change it to its NAS-Port-Id before it reaches the ACS
> RADIUS with help from the freeradius acting as a proxy?

authorize {
	...
	update request {
		User-Name := "%{NAS-Port-Id}"
	}
	...
}

  This kind of thing is trivial to do in FreeRADIUS.  Perhaps that's why
it's free... because it works.  You have to pay large amounts of money
to get products that don't do what you want.

  Alan DeKok.


More information about the Freeradius-Users mailing list