User with password and user without password

Alan DeKok aland at deployingradius.com
Mon Dec 6 17:48:32 CET 2021


On Dec 6, 2021, at 11:32 AM, Angelo Corsaro <angelo.corsaro at tiscali.it> wrote:
> I need a basic input to (if possible) fix my problem:
> now my radius is verifying only SIM (we're talking a private APN) with only Calling-Station-Id and I disabled the pap and chap as below

  That disables it for *all* users.  Which is not what you want.

  And there's no need to disable PAP.  If your'e authenticating via Calling-Station-Id, you can do something like:

	if (calling station ID is OK) {
		accept
	}

  What goes in the "if" condition depends on how you've set up your system.  i.e. where are the "known good" Calling-Station-ID values stored?

> but in a near future a different client will be authenticate with User-Name, Cleartext-Password and Calling-Station-Id (always coming from a private APN): how can I manage those different requests ?

  Authenticate *how* with those attributes?  You need to answer that question in order to come up with the correct solution.

  For example:

	If the user is in the SQL database, AND the calling-station-ID matches
        THEN get the Cleratext-Password from the DB, and use PAP for authentication

  What this does is force you to write down exactly what you want to do.  Once you've done that, writing "unlang" policies is simple.

  And until you write down what you want, you'll just be changing random things in the configuration, hoping that it works.

> I thought a simple "if"  into the file site-enabled/default in the authorize/preprocess section:
> 
>         if (ClearText-Password == "Void") {
>                         update attribute {
>                                 ClearText-Password := "--"
>                         }
>                 }

  To do... what?  You're not saying.

> and re-enabling the verify of the password in in authenticate section. But it seems too easy :)

Q: Here's a sample configuration.  Will it do what I want?

A: I don't know.  You haven't said what you want to do.

  Alan DeKok.




More information about the Freeradius-Users mailing list