Authentication either username or mac address

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Authentication either username or mac address

Mohammad Mahefooz
 I have searched about this, but couldn't find proper answer. If it has
been already answered kindly share the link. Would like to authenticate
users either with username or specified mac address. Generally we can
authenticate users either when using only username or only mac address
(using mac authentication). But let's say we want to give users the option
of either using username or mac address to login, but count data and
session time on username basis, how to achieve this in freeradius?

- Mohammad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication either username or mac address

Alan DeKok-2
On Dec 4, 2018, at 6:36 AM, Mohammad Mahefooz <[hidden email]> wrote:
>
> I have searched about this, but couldn't find proper answer. If it has
> been already answered kindly share the link. Would like to authenticate
> users either with username or specified mac address.

  If the MAC is in the User-Name attribute, then you're using authenticating by User-Name.  FreeRADIUS doesn't care what's *in* the User-Name.

> Generally we can
> authenticate users either when using only username or only mac address
> (using mac authentication). But let's say we want to give users the option
> of either using username or mac address to login,

  How do you give them that option?

> but count data and
> session time on username basis, how to achieve this in freeradius?

  Is the User-Name in the access-Request packet?

  You want to do "something".  But you don't know what's in the packets, and you don't really know what you want to do.

  So the question is impossible to answer until there's some more detailed information.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication either username or mac address

Mohammad Mahefooz
 In radcheck table, if we use email address as value in User-Name
attribute, user can login with his email address as username. In case if we
use MAC as value in User-Name attiribute, user can login using MAC
authentication. As of now, we can use 'only' either value. Requirement is
to enable user to use both. He can login with either email or MAC. Just
found the below solution suggested in one of the forum. Would like to know
if it is feasible?

1 - open this path
/etc/freeradius/sql/mysql/dialup.conf
======================================
2 - search in : authorize_check_query
reblase all query to :

authorize_check_query = "SELECT id, username, attribute, value, op, mac \
FROM ${authcheck_table} \
WHERE username = '%{SQL-User-Name}' and (mac IS NULL or
mac='%{Calling-Station-Id}') \
ORDER BY id"
=====================================
3 - add new colum `mac` in database in `radcheck` table and set him to
`null`
=====================================
4 - add your current user with the password with the two or three mac's
as you want.

- Mohammad

On Tue, 4 Dec 2018 at 18:58, Alan DeKok <[hidden email]> wrote:

> On Dec 4, 2018, at 6:36 AM, Mohammad Mahefooz <[hidden email]>
> wrote:
> >
> > I have searched about this, but couldn't find proper answer. If it has
> > been already answered kindly share the link. Would like to authenticate
> > users either with username or specified mac address.
>
>   If the MAC is in the User-Name attribute, then you're using
> authenticating by User-Name.  FreeRADIUS doesn't care what's *in* the
> User-Name.
>
> > Generally we can
> > authenticate users either when using only username or only mac address
> > (using mac authentication). But let's say we want to give users the
> option
> > of either using username or mac address to login,
>
>   How do you give them that option?
>
> > but count data and
> > session time on username basis, how to achieve this in freeradius?
>
>   Is the User-Name in the access-Request packet?
>
>   You want to do "something".  But you don't know what's in the packets,
> and you don't really know what you want to do.
>
>   So the question is impossible to answer until there's some more detailed
> information.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication either username or mac address

Alan DeKok-2
On Dec 4, 2018, at 8:44 AM, Mohammad Mahefooz <[hidden email]> wrote:
>
> In radcheck table, if we use email address as value in User-Name
> attribute, user can login with his email address as username. In case if we
> use MAC as value in User-Name attiribute, user can login using MAC
> authentication. As of now, we can use 'only' either value. Requirement is
> to enable user to use both. He can login with either email or MAC. Just
> found the below solution suggested in one of the forum. Would like to know
> if it is feasible?

  Well, it doesn't let the user log in with the *User-Name* set to either the name or the MAC address.  It lets a user log in with one User-Name, but multiple devices.  And, where the MAC address is set automatically in the Calling-Station-Id attribute.

  As with anything, you have to define the requirements.  Then, the solution usually becomes clear.

  If the user logs in with the User-Name set to the MAC address, then you don't know who the real user is.

  Again, you're asking for a solution, but you don't really know what you want to do.  Define the problem first.

  What do you want to allow the user to have in the User-Name attribute?

  Is the MAC in the Calling-Station-Id attribute?  (LOOK IN THE DEBUG OUTPUT)

  etc.

  You can't just post a question saying "I want to do stuff", and expect us to come up with a solution.  Vague questions get vague answers.  Detailed questions get detailed answers.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication either username or mac address

Mohammad Mahefooz
Well Alan, I've seen your attitude in this mailing thread when answering
these kind of questions. Anyway I believe I was very clear even with
example, still if you think it's a vague question, let it be. I think there
is no point of coming here for help.

- Mohammad

On Tue, 4 Dec, 2018, 7:29 PM Alan DeKok <[hidden email] wrote:

> On Dec 4, 2018, at 8:44 AM, Mohammad Mahefooz <[hidden email]>
> wrote:
> >
> > In radcheck table, if we use email address as value in User-Name
> > attribute, user can login with his email address as username. In case if
> we
> > use MAC as value in User-Name attiribute, user can login using MAC
> > authentication. As of now, we can use 'only' either value. Requirement is
> > to enable user to use both. He can login with either email or MAC. Just
> > found the below solution suggested in one of the forum. Would like to
> know
> > if it is feasible?
>
>   Well, it doesn't let the user log in with the *User-Name* set to either
> the name or the MAC address.  It lets a user log in with one User-Name, but
> multiple devices.  And, where the MAC address is set automatically in the
> Calling-Station-Id attribute.
>
>   As with anything, you have to define the requirements.  Then, the
> solution usually becomes clear.
>
>   If the user logs in with the User-Name set to the MAC address, then you
> don't know who the real user is.
>
>   Again, you're asking for a solution, but you don't really know what you
> want to do.  Define the problem first.
>
>   What do you want to allow the user to have in the User-Name attribute?
>
>   Is the MAC in the Calling-Station-Id attribute?  (LOOK IN THE DEBUG
> OUTPUT)
>
>   etc.
>
>   You can't just post a question saying "I want to do stuff", and expect
> us to come up with a solution.  Vague questions get vague answers.
> Detailed questions get detailed answers.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Authentication either username or mac address

Alan DeKok-2
On Dec 4, 2018, at 9:04 AM, Mohammad Mahefooz <[hidden email]> wrote:
>
> Well Alan, I've seen your attitude in this mailing thread when answering
> these kind of questions. Anyway I believe I was very clear even with
> example, still if you think it's a vague question, let it be. I think there
> is no point of coming here for help.

  If you're going to complain, you will be unsubscribed from the list, and permanently banned.

  Follow instructions and get the problem solved, or complain and get banned.  Your choice.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html