freeradius

Freeradius: Authenticate users on certain condition


There is a network where users are using PPPoE to establish connections to the Access servers. We have lost the billing system and users' DB. The only condition that we know is that 'Valid credential should be credential where username and password are the same value. (i.e. username: johnsmith, password: johnsmith)'.

We'd like to recover access to the Internet asap.

Setup that we have now: Ubuntu 2004, accel-ppp, freeradius3. Everything works fine but we have to add a record for each user to raddb/mods-config/files/authorize file.

user1 Cleartext-Password := "user1"
user2 Cleartext-Password := "user2"
userN Cleartext-Password := "userN"

Updated: Is that possible to avoid manually adding users? The script should verify credential assuming that username and valid password are the same value.


Solution

  • This is trivial to do in unlang, FreeRADIUS's configuration language.

    The "known" clear password to be matched in FreeRADIUS must be made available in the Cleartext-Password attribute. This is where it will generally be placed after a successful database lookup.

    As you know the User-Name, you can update the password to match it. In sites-enabled/default you can add:

    update control {
        &Cleartext-Password = &request:User-Name
    }
    

    Adding this right at the bottom of the authorize{} section, and using = above (rather than :=) means that the Cleartext-Password attribute will only be changed if it hasn't previously been set by some other method, ensuring that as you add entries back into a database they will take precedence.

    Authentication will then compare User-Name to Cleartext-Password; they will of course match so access will be permitted.