Users file giving me headaches :)
Hello folks, For quite some time now I'm struggling with a problem I have no clue how to solve... Consider the following: zro Auth-Type := MD5, User-Password := 9bb05e8970a8c18991d3048f3f5ad976, Calling-Station-Id == 00:16:EC:54:2E:C4, Simultaneous-Use := 1 Mikrotik-Rate-Limit = "128k/192k 128k/384k 64k/64k 1/8" This is an example of an user account on my ISP. As you can see we also check the "Caller-ID" (MAC address) on the authentication process of our PPPOE customers. The problem is: we also provide free dialup connection to these customers. When connected via dialup we get the phone number as CallerID so, obviously, it doesn't match the MAC address and the authentication fails. Is there any way I can instruct the Radius to do like a logical OR check? Like: if (NAS-IP-Address != "10.200.200.2") { Calling-Station-Id has to be 00:16:EC:54:2E:C4 } else { Ignore the Calling-Station-Id, check only the password } Maybe it is just ask too much... For now, I've been ignoring the dialup users, allowing them to authenticate with any login or password using this in the begging of users file: DEFAULT NAS-IP-Address == 10.200.200.2, Auth-Type := Accept This way is not good because many people are now using our service without even being customers... My only option, if I can't solve this, is to make a secondary Radius server just to authenticate them. -- Marcelus Trojahn --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 000722-1, 07/03/2007 Tested on: 7/3/2007 11:49:19 avast! - copyright (c) 1988-2007 ALWIL Software. http://www.avast.com
Marcelus Trojahn wrote:
Hello folks,
For quite some time now I'm struggling with a problem I have no clue how to solve...
Consider the following: zro Auth-Type := MD5, User-Password := 9bb05e8970a8c18991d3048f3f5ad976, Calling-Station-Id == 00:16:EC:54:2E:C4, Simultaneous-Use := 1 Mikrotik-Rate-Limit = "128k/192k 128k/384k 64k/64k 1/8"
In 1.1.4 && later, you don't need to set Auth-Type like this. See "man rlm_pap" for details. It also makes the configuration much simpler.
Is there any way I can instruct the Radius to do like a logical OR check? Like:
if (NAS-IP-Address != "10.200.200.2") { Calling-Station-Id has to be 00:16:EC:54:2E:C4 } else { Ignore the Calling-Station-Id, check only the password }
Set up two modules. Use rlm_passwd to put the Calling-Station-Id's into an internal group (say My-Group), and then do: DEFAULT NAS-IP-Address != 10.200.200.2, My-Group != "foo", Auth-Type := Reject DEFAULT do password checks... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Marcelus Trojahn