Some guidance please

Mark - Myakka Technologies mark at mailmt.com
Wed Jan 15 18:04:32 UTC 2025 

Alan,

Sorry about the delay, your reply landed in my SPAM folder.

Current PPPoE setup is as follows.  Clients connect to a Mikroik PPPoE server, Mikrotik Authenticates via a FreeRadius Server, FreeRadius Authenticates via a MS SQL Server.  We also do accounting.  Client uses a Username/Password we supply them.

We are implementing some new hardware which would work better if we used DHCP instead of PPPoE.  We have setup a Mikrotik DHCP server.  Mikrotik allows us to authenticate DHCP request via Radius.  We have this piece of the system setup.  Currently the way mikrotik authenticates is using device MAC address as username and a blank password.  This is a problem being the mac address is supplied by the clients device.  We want this to be invisible to the client. If the client decides to change their equipment, we don't want it to generate a service call.

We decided to use DHCP Option 82 on our new equipment.  Setting it up this way we can have the Option 82 data programmed into our equipment which will stay static.  For example we can pass something like XX01-username-password-port-etc.  We have the setup and I can confirm the freeradius server is receiving the correct data in the Agent-Circuit-Id.

What I would like to do as early as possible in the freeradius process is to extract the username and password from Agent-Circuit-Id and update both username and password with that data.  

Current issues

Agent-Circuit-Id is transferred as hex.  Doesn't look like uLang has a hex to string conversion routine.  That causes issues with the RegEx extract.  That is why I was thinking about dropping into perl

I have created a new file in policy.d that I have been fooling around with.  Calling my routine just before filter_username in default authorize {} and using update request.

Unfortunately, I had to take my test device offline at the lab, so I can't continue testing.  

I think I'm missing the updated keyword at the end of my routine to tell FreeRadius that I updated the request.

That maybe all I'm missing on the  procedure.  Now I have to do some digging on doing Hex to String.  Didn't see anything in the uLang manual for that, but no sure if I dug deep enough.


This got a bit wordy, but hopefully it give you a clearer picture.
  

       

--
Best regards,
 Mark                            mailto:mark at mailmt.com

Myakka Communications
www.Myakka.com

------

Monday, January 13, 2025, 2:58:27 PM, you wrote:

AD> On Jan 13, 2025, at 2:13 PM, Mark - Myakka Technologies via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> 
>> We have been using FreeRadius for over 10 years to authenticate our PPPoE users.  We are putting in a new system that will be using DHCP and would like to authentication and accounting on our DHCP clients.  Being these clients may be using their own equipment, MAC address username will not be the best.

AD>   DHCP doesn't do authentication and accounting, so you have to design the system carefully to work around those limitations.

>> We have setup our system to use Option 82 to pass the username and password to the DHCP server.  I have confirmed that the DHCP is receiving the Option 82 correctly and passing it to FreeRadius as both Agent-Circuit-Id and ADSL-Agent-Circuit-Id.
>> 
>> I'm currently trying to figure out the best way to take the information contained in Agent-Circuit-Id and parse that to replace both username and password on the authorize request.

AD>   Why replace it?  That doesn't gain you anything.  Why not just allow the user (or not), depending on the information in the packet?

>> Has this been done before and I'm just not using the correct keywords in google to find it?

AD>   What do you actually want to do?  i.e. "rewrite User-Name" isn't a requirement, it's a proposed solution.

AD>   What information are you putting into the User-Name?  Where is that information coming from?  What database lookups or policies are you running with that User-Name?

AD>   i.e. there is nothing special about User-Name.  If you want to change the SQL queries to do lookups based on MAC address, you can do that.  They're text.  Just edit them.

AD>   If you're not finding guides on how to implement a particular solution, then it's likely because no one else is using that solution.  Because there are other, better, solutions available.

>> I have read in certain posts that modifying User-Name is not recommended.  If that is the case what variable should be used and where in the config should it be changed?

AD>   If the server is doing EAP, you can't modify the User-Name.  For other authentication methods it is possible.  But generally there are no good reasons for doing that.

AD>   Alan DeKok.

More information about the Freeradius-Users mailing list