Howto Authenticate Undefined Users

Thu Sep 10 00:06:06 CEST 2009

> On Wed, Sep 09, 2009 at 05:10:46PM +0200, Matthias Cramer wrote:
> [..]
>> Normal Users get authenticated normaly, get Static or dynamic ip's and
>> so on.
>> User not in the sql database should get assigned a vrf group and a ip
>> pool for assigning ip's
>> (I know how to do that with Cisco-AVPairs).
>
> I'm not sure this is the right way of doing it (and I'd love to see the
> right
> one) but something like this worked for me:
>
> (in authenticate section, assuming you're doing CHAP):
>
> Auth-Type CHAP {
>     chap {
>         ok = return
>         reject = 1
>     }
>
>     if (reject) {
>         update reply {
>             Filter-Id := "somefilter"
>             Filter-Id += "someotherfilter"
>             ...
>         }
>         ok
>     }
> }

That's not going to work.

1. Server will respond with Access-Reject.

2. Attribute filter in Post-Auth-Type Reject will strip these attributes.

This will (for PAP and not much else):

in authorize after sql put this unlang section:

if(notfound) {
     update control {
          Auth-Type := "Accept"
     }
     update reply {
          whatever
     }
}

But ... breaking radius server in order to send Access-Accept for
unknown/bad users is a *very* bad idea. Freeradius is designed to protect
you from such users as they can be malicious. If you do this you are
opening your network to DoS attack.

If you want to let unauthenticated users onto your network - don't break
radius server in order to do that. Use the thing that is designed for it -
network access server (NAS). If your NAS doesn't support this, use captive
portal.

Ivan Kalik
Kalik Informatika ISP