SQL Mac-Authentication based on Call-Check

Jonathan De Graeve Jonathan.De.Graeve at imelda.be
Wed Nov 23 23:05:25 CET 2005


If I understand this correctly I could have 3 ways to do RADIUS MAC
Authentication:

1) (enterasys seems to do it like this)
Username == mac, password == default password set in the nas and that
matches the pass in the 'radcheck' table but different from the nas
secret
2) (like it seems most vendors are doing it):
Username == mac, password == nas-secret (but this also needs
username(mac)/password(nas-secret) pairs in 'radcheck' table
3) calling-station-id == mac, username == mac, password == NULL,
service-type == Call Check (10) and Auth-Type := Accept

My questions: 
a)could I have a security problem with 2 or 3?
b)any suggestions to choose between 1, 2 or 3 or 'just choose whatever
works'?

Kind Regards,

--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
Jonathan.de.graeve at imelda.be


> -----Oorspronkelijk bericht-----
> Van: freeradius-users-bounces at lists.freeradius.org [mailto:freeradius-
> users-bounces at lists.freeradius.org] Namens Alan DeKok
> Verzonden: woensdag 23 november 2005 19:33
> Aan: FreeRadius users mailing list
> Onderwerp: Re: SQL Mac-Authentication based on Call-Check
> 
> florian broder <flobroed at googlemail.com> wrote:
> > The only thing I'm currently unaware of is, where I can tell
freeradius
> to
> > use Call-Check together with mysql, I think it's somewhere in
sql.conf?
> 
>   No, it's also in the "radcheck" table.
> 
> > Only thing that need to be done IMO is to tell radius, that there is
no
> > username and authentication needs to be done on a caller-id basis.
> 
>   In radcheck, also set "Auth-Type := Accept" if the MAC & Call-Check
> match.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 






More information about the Freeradius-Users mailing list