freeradius and ADSL-Agent-Circuit-Id
Mike
mike-freeradius at tiedyenetworks.com
Tue Jul 20 22:50:46 CEST 2010
Tim Sylvester wrote:
> Ad this into the authorize section:
>
>
> authorize {
>
> if %{ADSL-Agent-Circuit-Id} {
> update request {
> User-Name := "%{ADSL-Agent-Circuit-Id}"
> Password := "%{ADSL-Agent-Circuit-Id}"
> }
> }
>
> Make sure that to add the User-Name (ADSL-Agent-Circuit-Id) to radcheck and
> set the password to the value of ADSL-Agent-Circuit-Id.
>
> +--------+-----------+--------------------+----+-----------+
> | id | username | attribute | op | value |
> +--------+-----------+--------------------+----+-----------+
> | 226529 | adslagent | Cleartext-Password | := | adslagent |
> +--------+-----------+--------------------+----+-----------+
>
This opens up a security hole I wish to avoid - if someone knows what my
circuit Id's look like, and that database is used in any context where a
user can send an id/password to authenticate that does NOT have
ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user
id's for the bad guys to use. I am happy having a non-default sql
database schema but I think I really need the sql lookup to be being
based on ADSL-Agent-Circuit-Id and not User-Name.
Mike-
More information about the Freeradius-Users
mailing list