On 06/01/11 15:58, Alexander Clouter wrote:
Phil Mayers<p.mayers@imperial.ac.uk> wrote:
I setup mac_auth as in the freeradius wiki and its not working, am unable to debug further.
Hmm. This:
http://wiki.freeradius.org/index.php?title=Mac-Auth
...seems like it's a bit... over-engineered?
I think it's Arran who maintains that page, however the rewrite_calling_station_id looks like it was palmed off me at some stage. That *is* needed unless you are quite-quite-mad and enjoy twenty different representations for your MAC addresses in your databases :)
Sure; we have something similar We *actually* abuse Postgres' macaddr datatype by doing this: update request { Calling-Station-Id = "%{sql:select '%{Calling-Station-Id}'::macaddr}" } ...which handles all the various cases quite nicely, but returns Postgres' :-separated version, which is fine (and what we prefer). It might be nice if FreeRadius had a "tomac" xlat.
Anyone who wrote the page, and why it uses that method?
The page looks fine to me, is it the enforcing and checking for RFCness
*What* RFCness?
that seems overkill to you? Cisco switches use PAP instead of CHAP, but other than that whats the problem?
I've never seen a mac-auth implementation sending CHAP requests, which seems like lunacy, so have never considered there might be a need to execute the "authenticate" section, or synthesise a Cleartext-Password. But even so, I don't see the value in executing a modules .authorize handler in the post-auth section, or having a whole separate Auth-Type value. Why not just do all that you need after the comparison to check it's a mac-auth request i.e.: authorize { clean_mac if ((Service-Type == Call-Check) || ...) { authorized_macs if (!ok) { reject } if (CHAP-Password) { update control { Cleartext-Password := "%{User-Name}" } } else { update control { Auth-Type = Accept } } } chap mschap eap # etc. } What am I missing? Shrug. Not a big deal really. To each his own.