Freeraius vs NPS

Martin, Jeremy jmartin at emcc.edu
Fri May 5 18:51:49 CEST 2017 

Alan,

Thank you for you help, I think I am starting to get a handle on this problem.

I added a check in the sites-enabled default file that did the trick and isolated it to one set and sure enough it kicked back and asked me for some credentials:
authorize {
        if (User-Name == "A009ED031E00") {
                reject
        }
....
}

Log Entries:
# Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)    if (User-Name == "A009ED031E00")
(0)    if (User-Name == "A009ED031E00")  -> TRUE
(0)   if (User-Name == "A009ED031E00")  {
(0)    [reject] = reject
(0)   } # if (User-Name == "A009ED031E00")  = reject
(0)  } #  authorize = reject


Now for my last question (hopefully) before I go off and dig into the docs and examples, is there a table already setup that would make this check against a mysql table so I can easily write an interface so I don't have to train my techs to edit this file when setting up a new phone?  Or if you have another reasonable way of don't it that I can write against using some web interface I would certainly entertain that option as well.  I am certainly not against reading the docs but if there are any head starts they would appreciated.

In any event I am certainly glad to know what is going to at least, so thanks for the help thus far.

Jeremy





-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, May 5, 2017 11:54 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Freeraius vs NPS


> On May 5, 2017, at 11:46 AM, Martin, Jeremy <jmartin at emcc.edu> wrote:
> 
> I am attaching them to this email.

  Wow... the phone is just broken.  It's sending an EAP-Identity of:

0xa009ed031e00

  i.e. the MAC address of the phone... in binary form, NOT text, and finishing off with a trailing zero byte.

  What phone is this?  That behavior is completely broken, and violates RFC 3748:

https://tools.ietf.org/html/rfc3748#section-5.1

     This field MAY contain a displayable message in the Request,
      containing UTF-8 encoded ISO 10646 characters [RFC2279].  Where
      the Request contains a null, only the portion of the field prior
      to the null is displayed.  If the Identity is unknown, the
      Identity Response field should be zero bytes in length.  The
      Identity Response field MUST NOT be null terminated. 

  In any case, the suggestion I made in my last message should work.  Though it will be made more complicated by the phone sending binary crap as the EAP-Identitiy, instead of a UTF-8 text string.

 Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list