<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Yes that makes sense, although the mac address was already being reported on the switch. It’s not having any negative effect anyway, so I’m happy.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Andy<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org] <b>On Behalf Of </b>Matthias Nagel<br><b>Sent:</b> 21 May 2013 23:23<br><b>To:</b> freeradius-users@lists.freeradius.org<br><b>Subject:</b> AW: RE: Help with chap<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Hello,<o:p></o:p></p></div><div><p class=MsoNormal>actually this behaviour is totally correct. The switch tries to authenticate a client, when the switch learns the clients MAC address. As the MAC address is extracted from the ethernet header there must be some packages sent from the client in order to do so. If the client is quiet, the switch cannot do anything about it.<o:p></o:p></p></div><div><p class=MsoNormal>Matthias<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal><span style='font-size:9.0pt;color:#575757'>Matthias Nagel<br>Willy-Andreas-Allee 1, Zimmer 506<br>76131 Karlsruhe<br><br>Telefon: +49-721-8695-1506<br>Mobil: +49-151-15998774<br>ICQ: 499797758<br>Skype: nagmat84<o:p></o:p></span></p></div></div><p class=MsoNormal><br>"Franks Andy (RLZ) IT Systems Engineer" <<a href="mailto:Andy.Franks@sath.nhs.uk">Andy.Franks@sath.nhs.uk</a>> hat geschrieben:<br>..Just an update.. might be interesting for people - rebooted the switch<br>and not all clients were authenticated, but it seems all those that<br>weren't have 0 bytes for all statistics, tx, rx etc. So I guess they are<br>switched off and the switch seems to need some packets to flow for it to<br>"detect" that the client needs authenticating. <br>Otherwise it looks like it will sit with the port in an up state<br>unathenticated all day long. I guess this sort of makes sense, but in my<br>simple view of how things this isn't intuitive. Also HP manuals don't<br>seem to mention it..<br>Thanks<br>Andy<br><br>-----Original Message-----<br>From:<br>freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org<br>[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu<br>s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer<br>Sent: 21 May 2013 22:27<br>To: FreeRadius users mailing list<br>Subject: RE: Help with chap<br><br>Thanks Phil. I'll keep that up my sleeve for future use. We tend to<br>separate admin / wireless / mac-based auth off on to different radius<br>boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of<br>their stuff tends to be pap or eap. HP doing chap here seems to limit<br>quite a lot of backend options. <br>It's still also the only protocol, or so it seems, chosen for iscsi<br>authentication which is an interesting choice consider it's<br>vulnerabilites. Guess ipsec gets used instead where it needs to be<br>secure.<br>Now to work out the useraccountcontrol setting. Seems to be different in<br>users and computers than in an ldap viewer, but the ldap is probably a<br>decimal conversion or something.<br>Thanks again<br> Andy<br><br>-----Original Message-----<br>From:<br>freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org<br>[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu<br>s.org] On Behalf Of Phil Mayers<br>Sent: 21 May 2013 08:06<br>To: freeradius-users@lists.freeradius.org<br>Subject: Re: Help with chap<br><br>On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote:<br><br>> Can I just use the authorize section to set the password to be the <br>> same as the username, i.e. the mac address, after checking some basics<br><br>> like whether the user exists in ldap and perhaps the <br>> useraccountcontrol value, then in the authorize section just let the <br>> chap bit work on the assigned password?<br><br>Yes. In fact that's the best approach. Something like:<br><br>authorize {<br> ...<br> if (some condition) {<br> update control {<br> Cleartext-Password := "%{User-Name}"<br> }<br> }<br> ...<br>}<br><br>"some condition" would normally be some sort of check to ensure it was a<br>macauth-via-CHAP request - obviously you wouldn't want to force<br>password==username for a PPP/EAP/other "real" user request. On the other<br>hand if your server / virtual server only receives this traffic, you can<br>omit the condition.<br><br>I really dislike vendors who do macauth as CHAP. It seems to completely<br>lack value, and adds complexity. Le sigh..<br>-<br>List info/subscribe/unsubscribe? See<br><a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br>-<br>List info/subscribe/unsubscribe? See<br><a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><o:p></o:p></p></div></body></html>