On 2010/07/20 10:50 PM, Mike wrote:
authorize {
if %{ADSL-Agent-Circuit-Id} { update request { User-Name := "%{ADSL-Agent-Circuit-Id}" Password := "%{ADSL-Agent-Circuit-Id}" } }
Make sure that to add the User-Name (ADSL-Agent-Circuit-Id) to radcheck and set the password to the value of ADSL-Agent-Circuit-Id.
+--------+-----------+--------------------+----+-----------+ | id | username | attribute | op | value | +--------+-----------+--------------------+----+-----------+ | 226529 | adslagent | Cleartext-Password | := | adslagent | +--------+-----------+--------------------+----+-----------+ This opens up a security hole I wish to avoid - if someone knows what my circuit Id's look like, and that database is used in any context where a user can send an id/password to authenticate that does NOT have ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user id's for the bad guys to use. I am happy having a non-default sql database schema but I think I really need the sql lookup to be being based on ADSL-Agent-Circuit-Id and not User-Name.
Mike-
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How about this: I'm 100% sure my syntax is wrong today (I'm not an unlang master yet), but the idea should work. Opinions? authorize { if %{ADSL-Agent-Circuit-Id} { if (%{sql: select count(*) from CircuitIdList where CircuitId='%{ADSL-Agent-Circuit-Id}'} > 1) { Auth-Type = Accept } else { Auth-Type = Reject } } -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782