Two different sources, one with a single value
Alan DeKok
aland at ox.org
Thu Sep 15 22:53:55 CEST 2005
Martin.Ward at uk.neceur.com wrote:
> Using the above example, the system that passes the MAC
> address in to find out if it's valid passes the MAC address in both the
> User-Name and User-Password fields.
Uh, no.
> >> passwd mac_address {
> >> filename = /var/mac_addresses
> >> format = "*User-Name"
There's no "User-Password" field there, so it can't check that. And
the passwd module doesn't do enforcement checking, it's just a lookup
table.
> I was hoping to be able to get away with just authenticating against
> the User-Name and having just one field in the table,
Sure, but then you've got to set Auth-Type := Accept.
> As for authorizing, surely for the MAC address checking I don't need
> to have an authorize section, the authenticate section verifies if
> the MAC address is in the table or not and if it is, it passes it
> in?
No. The "passwd" module runs in the authorization section.
> Then again, if I am authenticating against the MAC address and then
> authorizing against the unix login ID and password, does this mean a given
> user has to be in BOTH tables to gain access?
You have "authorization" and "authentiction" inverted in the above example.
Alan DeKok.
More information about the Freeradius-Users
mailing list