Some guidance please

Alan DeKok aland at deployingradius.com
Mon Jan 13 19:58:27 UTC 2025 

On Jan 13, 2025, at 2:13 PM, Mark - Myakka Technologies via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> We have been using FreeRadius for over 10 years to authenticate our PPPoE users.  We are putting in a new system that will be using DHCP and would like to authentication and accounting on our DHCP clients.  Being these clients may be using their own equipment, MAC address username will not be the best.

  DHCP doesn't do authentication and accounting, so you have to design the system carefully to work around those limitations.

> We have setup our system to use Option 82 to pass the username and password to the DHCP server.  I have confirmed that the DHCP is receiving the Option 82 correctly and passing it to FreeRadius as both Agent-Circuit-Id and ADSL-Agent-Circuit-Id.
> 
> I'm currently trying to figure out the best way to take the information contained in Agent-Circuit-Id and parse that to replace both username and password on the authorize request.

  Why replace it?  That doesn't gain you anything.  Why not just allow the user (or not), depending on the information in the packet?

> Has this been done before and I'm just not using the correct keywords in google to find it?

  What do you actually want to do?  i.e. "rewrite User-Name" isn't a requirement, it's a proposed solution.

  What information are you putting into the User-Name?  Where is that information coming from?  What database lookups or policies are you running with that User-Name?

  i.e. there is nothing special about User-Name.  If you want to change the SQL queries to do lookups based on MAC address, you can do that.  They're text.  Just edit them.

  If you're not finding guides on how to implement a particular solution, then it's likely because no one else is using that solution.  Because there are other, better, solutions available.

> I have read in certain posts that modifying User-Name is not recommended.  If that is the case what variable should be used and where in the config should it be changed?

  If the server is doing EAP, you can't modify the User-Name.  For other authentication methods it is possible.  But generally there are no good reasons for doing that.

  Alan DeKok.

More information about the Freeradius-Users mailing list