Martin.Ward@uk.neceur.com wrote:
Using the above example, the system that passes the MAC address in to find out if it's valid passes the MAC address in both the User-Name and User-Password fields.
Uh, no.
passwd mac_address { filename = /var/mac_addresses format = "*User-Name"
There's no "User-Password" field there, so it can't check that. And the passwd module doesn't do enforcement checking, it's just a lookup table.
I was hoping to be able to get away with just authenticating against the User-Name and having just one field in the table,
Sure, but then you've got to set Auth-Type := Accept.
As for authorizing, surely for the MAC address checking I don't need to have an authorize section, the authenticate section verifies if the MAC address is in the table or not and if it is, it passes it in?
No. The "passwd" module runs in the authorization section.
Then again, if I am authenticating against the MAC address and then authorizing against the unix login ID and password, does this mean a given user has to be in BOTH tables to gain access?
You have "authorization" and "authentiction" inverted in the above example. Alan DeKok.