Thanks Phil. I'll keep that up my sleeve for future use. We tend to separate admin / wireless / mac-based auth off on to different radius boxes. Keeps things a bit easier. Not sure what cisco do, but a lot of their stuff tends to be pap or eap. HP doing chap here seems to limit quite a lot of backend options. It's still also the only protocol, or so it seems, chosen for iscsi authentication which is an interesting choice consider it's vulnerabilites. Guess ipsec gets used instead where it needs to be secure. Now to work out the useraccountcontrol setting. Seems to be different in users and computers than in an ldap viewer, but the ldap is probably a decimal conversion or something. Thanks again Andy
-----Original Message----- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:[email protected] s.org] On Behalf Of Phil Mayers Sent: 21 May 2013 08:06 To: [email protected] Subject: Re: Help with chap On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote: > Can I just use the authorize section to set the password to be the > same as the username, i.e. the mac address, after checking some basics > like whether the user exists in ldap and perhaps the > useraccountcontrol value, then in the authorize section just let the > chap bit work on the assigned password? Yes. In fact that's the best approach. Something like: authorize { ... if (some condition) { update control { Cleartext-Password := "%{User-Name}" } } ... } "some condition" would normally be some sort of check to ensure it was a macauth-via-CHAP request - obviously you wouldn't want to force password==username for a PPP/EAP/other "real" user request. On the other hand if your server / virtual server only receives this traffic, you can omit the condition. I really dislike vendors who do macauth as CHAP. It seems to completely lack value, and adds complexity. Le sigh.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
