I guess you've got somewhere a record with a serial number, password and optional user name.
For testing, I'm copying credentials from an application we use/host which does include all of those.
If you're doing EAP then you can't rewrite the User-Name so will need to come up with something else.
I will be using EAP. If I leave unlang as is, I could rely on SQL to look for the username/serial. For example: select * from radcheck; id | username | attribute | op | value | serial ----+---------------+----------------------+----+---------------+----------------- 1 | myself | User-Password | := | test-pass | 987688113 User logs in with serial: User-Name = "987688113" The new SQL query could be: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE (Username = '987688113' OR serial = '987688113') ORDER BY id; -- David Teston PINES System Administrator Georgia Public Library Service 1800 Century Place, Suite 150 Atlanta, GA 30345 Office: 404-235-7206 Mobile: 404-623-8676 dteston@georgialibraries.org http://georgialibraries.org On Tue, Nov 29, 2016 at 10:51 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Nov 29, 2016 at 10:27:58AM -0500, David Teston wrote:
I'd like to enable users to enter their username OR serial number as the &User-Name variable, then let /policy.d/filter determine how to process it. This would also require that I add an attribute in the radcheck table and restructure my SQL queries.
The serial number is stored as text. All users know their serial numbers, but not all users have a username which is how this issue arose.
Haven't got a great deal of info about your setup, but I guess you've got somewhere a record with a serial number, password and optional user name.
So unlang that looks at the User-Name and if it looks like a serial number, do the appropriate sql/ldap/other database lookup to pull that password into Cleartext-Password. Otherwise if it doesn't look like a serial number, lookup the username instead (watching the null case).
Or alternatively, if you detect username not being a serial number, do some unlang to pull the correct appropriate serial number and replace the User-Name attribute with that, then proceed as normal.
This sort of thing will work with PAP auth. If you're doing EAP then you can't rewrite the User-Name so will need to come up with something else... but same sort of idea. Look up the username that's relevant based on the form of User-Name you get.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html