Joseph Showalter wrote:
> Instead of using Chap which we are getting above, we want to use the
> "3GPP2-Attr-61 = 0x0106000000010209a0000029275c41" value which we can convert
> to the device serial number.
OK.
> In our DB we store the device serial number. The devices chap info most of
> them time might be tampered with or wrong.
That's a little surprising, but OK.
> So we wanted our EXEC script to replace the chap user/pass with the new PAP
> user/password.
No. You don't want that. I said you don't want that. Don't do that.
It's wrong.
> Should we be setting Cleartext-Password and the User-Password?
No. You should be setting Auth-Type := Accept, just like I said in my
last message.
>> If you're going to force authentication success, why not just set
>> "Auth-Type := Accept"? That avoids all of the mangling of passwords
>> (chap and pap)
>
> We still want radius to run through the normal SQL process to verify that the
> above serial number is valid.
So... do an SQL query to see if the serial number is valid. There's
no need to run a script. There's no need to play games with CHAP.
There's no need to play games with PAP.
Write an SQL statement that returns a string if the serial number is
in the database. If the number isn't in the database, it returns
nothing. Then, use the SQL statement in the "authorize" section:
authorize {
...
if (! "%{sql:SELECT ... }") {
reject
}
update control {
Auth-Type := Accept
}
...
}
It's that easy.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
