Help with chap
Phil Mayers
p.mayers at imperial.ac.uk
Tue May 21 09:06:25 CEST 2013
On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote:
> Can I just use the authorize section to set the password to be the same
> as the username, i.e. the mac address, after checking some basics like
> whether the user exists in ldap and perhaps the useraccountcontrol
> value, then in the authorize section just let the chap bit work on the
> assigned password?
Yes. In fact that's the best approach. Something like:
authorize {
...
if (some condition) {
update control {
Cleartext-Password := "%{User-Name}"
}
}
...
}
"some condition" would normally be some sort of check to ensure it was a
macauth-via-CHAP request - obviously you wouldn't want to force
password==username for a PPP/EAP/other "real" user request. On the other
hand if your server / virtual server only receives this traffic, you can
omit the condition.
I really dislike vendors who do macauth as CHAP. It seems to completely
lack value, and adds complexity. Le sigh..
More information about the Freeradius-Users
mailing list