[authorized_macs.authorize] returns noop

Arran Cudbard-Bell a.cudbardb at googlemail.com
Thu Jan 6 19:40:44 CET 2011


>> 
>> *What* RFCness?
>> 
> Apparently, guessing this is Aaran spending too much absorbing the IETF 
> website, RFC2865 says "though shalt use 'Call-Check' for mac-auth", I 
> have not read it myself.
> 
>>> that seems overkill to you? Cisco switches use PAP instead of CHAP, but
>>> other than that whats the problem?
>> 
>> I've never seen a mac-auth implementation sending CHAP requests,

HP Networking equipment does.

>> which 
>> seems like lunacy, so have never considered there might be a need to 
>> execute the "authenticate" section, or synthesise a Cleartext-Password.
>> 
> ...but this is what makes HP special :)

The problem is you can't always distinguish between CHAP authentication (e.g. web-auth) and mac-authentication. Both provide a CHAP-Password attribute, and HP Networking gear doesn't provide additional attributes, so someone could enter their mac-address as the user-name and password in a web-auth form and trick the server into performing mac-auth.

In newer firmware releases all HP Networking (ProCurve) equipment will send call-check as the Service-Type to indicate Mac-Based authentication, we (ESSW security team) decided that amongst the different options, this was closest to the original intent of the RFC.

> 
> http://wiki.freeradius.org/index.php?title=HP#Mac-Based
> 
> I agree, is is rather daft, I'm surprised User-Password even appears for 
> a PAP approach.

Its either CHAP or PAP in every Mac-Auth implementation that i've seen either sends the MAC-Address or a predefined passphrase in the CHAP or PAP attribute. I guess the advantage is that it will work with less advanced RADIUS servers that require a password attribute of some kind, and that the shared secret is required to create valid values for User-Password and CHAP-Password.

> 
>> But even so, I don't see the value in executing a modules .authorize 
>> handler in the post-auth section, or having a whole separate Auth-Type 
>> value.
>> 
> Right, this I agree with, I nuke the request in authorize too.

See previous mail.

> 
>> Shrug. Not a big deal really. To each his own.
>> 
> Many ways to skin this cat...

Mmm skinned cat.

-Arran





More information about the Freeradius-Users mailing list