PENZ Robert <[email protected]> wrote:
>
> and I've different switch types. Some send the MAC address lower case
> the others upper case. For switches which send it lower it case it
> works (as the macs are stored lower case in the db). How can I convert
> them all in the clear text password attribute to lower case? The
> attr_rewrite module looks good, but the only way I see is to have 6
> rewrite rules each replacing one letter, but that seems inefficient.
> The matching in the SQL Database works case insensitive and returns a
> row but the pap check logs following:
>
Do the mac-auth via unlang and not PAP.
----
policy {
...
mac_auth {
if (Realm == NULL && !(EAP-Message) && NAS-Port-Type == Ethernet \
&& Service-Type == Call-Check \
&& User-Name == "%{User-Password}" \
&& User-Name =~ /^[0-9a-f]{12}$/i \
&& Calling-Station-Id =~
/^([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})-([0-9a-f]{2})$/i
\
&& User-Name =~ /^%{1}%{2}%{3}%{4}%{5}%{6}$/i) {
ok
}
else {
noop
}
}
...
}
authorize {
...
mac_auth
if (ok) {
update control {
Auth-Type := Accept
}
# 'handled' does not work here
ok = return
}
...
}
----
You might need to tweak the policy{} rule to meet your local needs; the
above is what I use for our Cisco switches. You could tweak the above
so that 'mac_auth' sets 'Cleartext-Password = "%{User-Password}"' but
I personally cannot see the reason to bother when you can just skip
authenticate{} completely.
If you really do need to lowercase something, the only way to do it
really is to use 'exec' and call 'tr A-F a-f', nasty but it works.
Cheers
--
Alexander Clouter
.sigmonster says: Don't guess -- check your security regulations.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
