So can I just clarify that your saying Freeradius can be setup to send access-accept when getting a dhcp request even if NAS is not sending password?
Can I just be clear what your saying can be setup only to authorize a DHCP request as it's important the hotspot continues to have same auth method and will not auth any password.
Sorry if i'm being thick but I have read the freeradius docs but can't seem to find exactly the right info your talking about?
You need to setup your own policy within FreeRADIUS to handle authenticating DHCP users, and make up for the fact that the MikroTik DHCP server sends a blank User-Password attribute in Access-Requests for DHCP Discover packets. Here's a more detailed way of how you can handle it, and still not allow hotspot logins containing random passwords.
The Access-Requests for DHCP packets come in like this:
NAS-Port-Type = Ethernet
NAS-Port = 2198977383
Framed-IP-Address = 192.0.2.2
Called-Station-Id = "dhcp1"
User-Name = "01:23:45:67:AB:CD"
User-Password = ""
NAS-Identifier = "myrouter.domain.tld
You can create the following policy so that FreeRADIUS will still allocate IP's to DHCP users even though the User-Password attribute is blank. This policy should not match hotspot users because hotspot requests contain the 'Service-Type' attribute which this policy explicitly requires be absent.
authorize {
if(NAS-Port-Type == Ethernet && NAS-Port && !Service-Type && Called-Station-Id =~ /^dhcp[0-9]+$/){
# Username is a MAC address and password is blank
if(User-Name =~ /^([0-9A-F]{2}:?){6}$/ && User-Password == ''){
# Set password to 'User-Name' to facilitate proper lookup in 'users' file or SQL radcheck table
update request {
User-Password = "%{User-Name}"
}
}
}
files
sql
chap
pap
…etc
}