How to deal with switches not sending User-Password attribute for MAC-based authentication
Martin Gignac
martin.gignac at gmail.com
Fri Jan 24 20:29:50 CET 2020
> well, if you know that only a particular client is doing this, then
> have a check for that client and if its not got a User-Password set,
> then set one. then your current call then follows which would work as
> theres a User-Password as expected etc.
That's what I initially thought of doing by putting (which Alan DeKok
later said I shouldn't do):
if (&NAS-Port-Type == "Ethernet" && !User-Password) {
update control {
User-Password = &User-Name
Auth-Type := rest
}
}
in the autorize section but I then received this error in the logs:
(1) if (&NAS-Port-Type == "Ethernet" && !User-Password) {
(1) if (&NAS-Port-Type == "Ethernet" && !User-Password) -> TRUE
(1) if (&NAS-Port-Type == "Ethernet" && !User-Password) {
(1) update control {
(1) User-Password = &User-Name -> 'E6E849A201E8'
(1) Auth-Type := rest
(1) } # update control = noop
(1) } # if (&NAS-Port-Type == "Ethernet" && !User-Password) = noop
(1) if (User-Password) {
(1) if (User-Password) -> FALSE
(1) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(1) pap: WARNING: !!! Ignoring control:User-Password. Update your !!!
(1) pap: WARNING: !!! configuration so that the "known good" clear text !!!
(1) pap: WARNING: !!! password is in Cleartext-Password and NOT in !!!
(1) pap: WARNING: !!! User-Password. !!!
(1) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(1) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good"
password is available
(1) [pap] = noop
so I guess I cannot set the User-Password attribute myself. And it
appears that the REST module will not fire if I do not have a
User-Password attribute set to begin with.
Were you proposing something else than what I've tried?
Regards,
-Martin
More information about the Freeradius-Users
mailing list