RE: SQL Mac-Authentication based on Call-Check
If I understand this correctly I could have 3 ways to do RADIUS MAC Authentication: 1) (enterasys seems to do it like this) Username == mac, password == default password set in the nas and that matches the pass in the 'radcheck' table but different from the nas secret 2) (like it seems most vendors are doing it): Username == mac, password == nas-secret (but this also needs username(mac)/password(nas-secret) pairs in 'radcheck' table 3) calling-station-id == mac, username == mac, password == NULL, service-type == Call Check (10) and Auth-Type := Accept My questions: a)could I have a security problem with 2 or 3? b)any suggestions to choose between 1, 2 or 3 or 'just choose whatever works'? Kind Regards, -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 Jonathan.de.graeve@imelda.be
-----Oorspronkelijk bericht----- Van: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius- users-bounces@lists.freeradius.org] Namens Alan DeKok Verzonden: woensdag 23 november 2005 19:33 Aan: FreeRadius users mailing list Onderwerp: Re: SQL Mac-Authentication based on Call-Check
florian broder <flobroed@googlemail.com> wrote:
The only thing I'm currently unaware of is, where I can tell freeradius to use Call-Check together with mysql, I think it's somewhere in sql.conf?
No, it's also in the "radcheck" table.
Only thing that need to be done IMO is to tell radius, that there is no username and authentication needs to be done on a caller-id basis.
In radcheck, also set "Auth-Type := Accept" if the MAC & Call-Check match.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (1)
-
Jonathan De Graeve