On 7 Oct 2013, at 09:59, Jonathan Gazeley <jonathan.gaze...@bristol.ac.uk> wrote:
> On 07/10/13 08:40, a.l.m.bu...@lboro.ac.uk wrote:
>> Hi,
>>
>>>> if (Service-Type == "NAS-Prompt-User") {
>>>> if (NAS-IP-Address =~ /^172\.17\.107\./) {
>>>> if (User-Name =~ /^wisms\-testing/) {
>>>> update control {
>>>> Auth-Type := Accept
>>>> }
>> ouch do you realise how dangerous that is? there
>> should be no need to send an access accept packet back
>> to these probes - a reject should suffice - and that would stop
>> an end user subverting your system by simply using
>> that UserName (if they are using wpa_supplicant they could
>> add that NAS-Prompt-User attribute)
>>
>> alan
>> -
>
> We're finding these nuggets of code as we dig deeper into James's legacy
> config. If the Access-Accept response is not required, then presumably I can
> ditch that entire code block and let the wisms-testing auth attempt go
> through the system as any other user.
Yes, or immediately reject that user in the authorise section. Rejecting
immediately just makes things more efficient, particularly if the wism is doing
a check because it has marked the server as dead.
Test it, see what happens.
Regards
Scott
signature.asc
Description: Message signed with OpenPGP using GPGMail
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
