Compiling modules

Matthew Newton mcn at freeradius.org
Mon Nov 27 12:44:41 CET 2017


On Mon, 2017-11-27 at 10:01 +0000, Jonathan Anthony wrote:
> I am still a little confused.  What we are doing is that we have a
> secure box for storing, initially usernames and passwords using our
> own built hardware/software.
> 1.  We want to write a "plug-in" which I assume will be a module, so
> that when authenticating a user, it will send a command to our box.
> The box returns simply yes or no depending if the password matches. I
> thought rlm_pap authenticates using the flat users file. So we
> assumed that if we modified pap, this would work. Sorry if this is
> stupid question but I have just started with Radius

No, the rlm_files reads the flat users file. It can, as an example, set
the Cleartext-Password attribute with the known password of the user.

rlm_pap checks that the User-Password supplied in the RADIUS request
matches with the password in the Cleartext-Password, Password-with-
Header or other similar attributes.

So combined they will do what you are thinking.

The usual method is to supply the password from the database (I guess
in this case your own solution) to the RADIUS server, and then the
RADIUS server checks that the password is correct.

The password can be supplied by many means - hence rlm_files (users
file), rlm_ldap (read from LDAP), rlm_sql (read from an SQL database),
etc.

> 2. Say our authentication is called SNAP. How does the radius server
> select our module to authenticate. I did notice a "hints" file but
> not sure how this will work.

As an example, in the authorize{} section the files module will read
the Cleartext-Password for the user, and the pap module will detect
that there is a Cleartext-Password and a User-Password (supplied in the
request) and set the Auth-Type to "PAP".

Then the server calls the authenticate{} section called "PAP", which
again calls the pap module to check that the username and password are
correct.

You can mix and match these as you like, or set Auth-Type yourself
(though this is not recommended, most people get it wrong).

I guess the main question is why you need to write a C module to talk
to your solution. What protocols do you support. For instance, if you
have an HTTP REST API, then you can already use rlm_rest to talk to it.

Read the "concepts" and "getting started" pages on the wiki for another
explanation of how the server works.

-- 
Matthew



More information about the Freeradius-Devel mailing list