On 7 Oct 2013, at 09:59, Jonathan Gazeley <jonathan.gaze...@bristol.ac.uk> wrote:
> On 07/10/13 08:40, a.l.m.bu...@lboro.ac.uk wrote: >> Hi, >> >>>> if (Service-Type == "NAS-Prompt-User") { >>>> if (NAS-IP-Address =~ /^172\.17\.107\./) { >>>> if (User-Name =~ /^wisms\-testing/) { >>>> update control { >>>> Auth-Type := Accept >>>> } >> ouch do you realise how dangerous that is? there >> should be no need to send an access accept packet back >> to these probes - a reject should suffice - and that would stop >> an end user subverting your system by simply using >> that UserName (if they are using wpa_supplicant they could >> add that NAS-Prompt-User attribute) >> >> alan >> - > > We're finding these nuggets of code as we dig deeper into James's legacy > config. If the Access-Accept response is not required, then presumably I can > ditch that entire code block and let the wisms-testing auth attempt go > through the system as any other user. Yes, or immediately reject that user in the authorise section. Rejecting immediately just makes things more efficient, particularly if the wism is doing a check because it has marked the server as dead. Test it, see what happens. Regards Scott
signature.asc
Description: Message signed with OpenPGP using GPGMail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html