On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote:
Can I just use the authorize section to set the password to be the same
as the username, i.e. the mac address, after checking some basics like
whether the user exists in ldap and perhaps the useraccountcontrol
value, then in the authorize section just let the chap bit work on the
assigned password?
Yes. In fact that's the best approach. Something like:
authorize {
...
if (some condition) {
update control {
Cleartext-Password := "%{User-Name}"
}
}
...
}
"some condition" would normally be some sort of check to ensure it was a
macauth-via-CHAP request - obviously you wouldn't want to force
password==username for a PPP/EAP/other "real" user request. On the other
hand if your server / virtual server only receives this traffic, you can
omit the condition.
I really dislike vendors who do macauth as CHAP. It seems to completely
lack value, and adds complexity. Le sigh..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
