freeradius and ADSL-Agent-Circuit-Id

Mike mike-freeradius at tiedyenetworks.com
Thu Jul 29 06:17:26 CEST 2010 



Tim Sylvester wrote:
> Try the following:
>
> Add this to the top of the Authorize section:
>
>
>         if ADSL-Agent-Circuit-Id {
>                 update request {
>                         User-Name     := "%{ADSL-Agent-Circuit-Id}"
>                         User-Password := "%{ADSL-Agent-Circuit-Id}"
>                 }
>         }
>
>   

    Thank you for taking the time to provide this detailed example. I 
should have included the previous thread where this was suggested and 
that it 'works', but also that it creates a security hole in that an end 
user could simply set their user name and password to be the same as a 
Circuit-Id, thereby taking advantage of a 'known passwords' if anyone 
knows what my circuit id's look like.

    The task is to set things up so that _only_ in the event that the 
request contains an actual ADSL-Agent-Circuit-Id attribute, that I don't 
bother trying to do chap/pap, but instead I pull everything (Including 
Access-Accept) from the database indexed by ADSL-Agent-Circuit-Id. If 
there is no such attribute, then just proceed as normal. I can use sql 
to get a truth value wether the circuit-id is present in a non-default 
table, and I can use unlang to update the control with "Auth-Type := 
Accept". This works and results in 'access accept' to the client. But, 
it does not get me anyway to pull attributes specific to this id and 
return them to the client.

    What I was talking about was perhaps using the presence of 
ADSL-Agent-Circuit-Id to decide whether to proxy the request to another 
virtual server. I could configure this virtual server to listen on 
loopback so the only way to consult it is thru the proxy, and I could 
configure the sql query used on THIS server to peform the authorization 
query. This seperation would give me the abillity to either engage 
chap/pap or not based on presence of the attribute, instead of simply 
overwriting the attribute values which doesn't address my security 
concerns. I'm still looking for a good method to accomplish this.

    Mike-

More information about the Freeradius-Users mailing list