How to deal with switches not sending User-Password attribute for MAC-based authentication

Martin Gignac martin.gignac at gmail.com
Fri Jan 24 20:29:50 CET 2020


> well, if you know that only a particular client is doing this, then
> have a check for that client and if its not got a User-Password set,
> then set one. then your current call then follows which would work as
> theres a User-Password as expected etc.

That's what I initially thought of doing by putting (which Alan DeKok
later said I shouldn't do):

       if (&NAS-Port-Type == "Ethernet" && !User-Password) {
                update control {
                        User-Password = &User-Name
                        Auth-Type := rest
                }
        }

in the autorize section but I then received this error in the logs:

(1)     if (&NAS-Port-Type == "Ethernet" && !User-Password) {
(1)     if (&NAS-Port-Type == "Ethernet" && !User-Password)  -> TRUE
(1)     if (&NAS-Port-Type == "Ethernet" && !User-Password)  {
(1)       update control {
(1)         User-Password = &User-Name -> 'E6E849A201E8'
(1)         Auth-Type := rest
(1)       } # update control = noop
(1)     } # if (&NAS-Port-Type == "Ethernet" && !User-Password)  = noop
(1)     if (User-Password) {
(1)     if (User-Password)  -> FALSE
(1) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(1) pap: WARNING: !!! Ignoring control:User-Password.  Update your        !!!
(1) pap: WARNING: !!! configuration so that the "known good" clear text !!!
(1) pap: WARNING: !!! password is in Cleartext-Password and NOT in        !!!
(1) pap: WARNING: !!! User-Password.                                      !!!
(1) pap: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(1) pap: WARNING: No "known good" password found for the user.  Not
setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good"
password is available
(1)     [pap] = noop

so I guess I cannot set the User-Password attribute myself. And it
appears that the REST module will not fire if I do not have a
User-Password attribute set to begin with.

Were you proposing something else than what I've tried?

Regards,
-Martin


More information about the Freeradius-Users mailing list