Auth-Test accounts in "users" file
Is it possible/appropriate to have some test accounts in the "users" file, along with an Auth-Type set to which auth type this account can be used for? We're testing a client that we're building (based on wpa_supplicant on linux), so would like to confirm the different auth methods are actually connecting as configured. I was thinking something like: test-pap Auth-Type = PAP, User-Password := "pap-test" test-chap Auth-Type = CHAP, User-Password := "chap-test" I guess the question is how to do all the options that are inside EAP.. -- James A. McOrmond Network Administrator Xandros Corporation, Ottawa, Canada. Morpheus: ...after a century of war I remember that which matters most: *We are still HERE!*
James McOrmond wrote:
Is it possible/appropriate to have some test accounts in the "users" file, along with an Auth-Type set to which auth type this account can be used for?
Yes. But don't set Auth-Type. Please.
We're testing a client that we're building (based on wpa_supplicant on linux), so would like to confirm the different auth methods are actually connecting as configured.
I would say to use 2.0. The new "unlang" policy language makes this much easier.
I was thinking something like:
test-pap Auth-Type = PAP, User-Password := "pap-test" test-chap Auth-Type = CHAP, User-Password := "chap-test"
Or... if (User-Name == "test-pap") { if (User-Password) { update control { Cleartext-Password := "pap-test" } } else { # test failed, do something... reject } } It's a lot more verbose, but also a lot clearer, I think.
I guess the question is how to do all the options that are inside EAP..
The EAP-Type attribute contains the EAP type. It exists after the "eap" module has been executed in the "authorize" section. Alan DeKok.
Alan DeKok wrote:
James McOrmond wrote:
Is it possible/appropriate to have some test accounts in the "users" file, along with an Auth-Type set to which auth type this account can be used for?
Yes. But don't set Auth-Type. Please.
you seem to have a real issue with it :-)
We're testing a client that we're building (based on wpa_supplicant on linux), so would like to confirm the different auth methods are actually connecting as configured.
I would say to use 2.0. The new "unlang" policy language makes this much easier.
I was thinking something like:
test-pap Auth-Type = PAP, User-Password := "pap-test" test-chap Auth-Type = CHAP, User-Password := "chap-test"
Or...
if (User-Name == "test-pap") { if (User-Password) { update control { Cleartext-Password := "pap-test" } } else { # test failed, do something... reject } }
It's a lot more verbose, but also a lot clearer, I think.
I specifically want the test-pap account to fail if the authentication method used is anything but pap. I don't see that restriction here. -- James A. McOrmond (jamesm@xandros.com) Network Administrator Xandros Corporation, Ottawa, Canada. Morpheus: ...after a century of war I remember that which matters most: *We are still HERE!*
James McOrmond wrote:
Yes. But don't set Auth-Type. Please.
you seem to have a real issue with it :-)
Because almost everyone gets it wrong, and then argues about it...
I specifically want the test-pap account to fail if the authentication method used is anything but pap. I don't see that restriction here.
PAP authentication means that there is a User-Password attribute in the request. The sample config I posted checks that, and if there's *no* User-Password, rejects the user. Alan DeKok.
participants (2)
-
Alan DeKok -
James McOrmond