On 7 Oct 2013, at 09:59, Jonathan Gazeley <Jonathan.Gazeley@bristol.ac.uk> wrote:
On 07/10/13 08:40, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
if (Service-Type == "NAS-Prompt-User") { if (NAS-IP-Address =~ /^172\.17\.107\./) { if (User-Name =~ /^wisms\-testing/) { update control { Auth-Type := Accept } ouch do you realise how dangerous that is? there should be no need to send an access accept packet back to these probes - a reject should suffice - and that would stop an end user subverting your system by simply using that UserName (if they are using wpa_supplicant they could add that NAS-Prompt-User attribute)
alan -
We're finding these nuggets of code as we dig deeper into James's legacy config. If the Access-Accept response is not required, then presumably I can ditch that entire code block and let the wisms-testing auth attempt go through the system as any other user.
Yes, or immediately reject that user in the authorise section. Rejecting immediately just makes things more efficient, particularly if the wism is doing a check because it has marked the server as dead. Test it, see what happens. Regards Scott