Fw: authorize and authenticate methods ina custom module

Yannick Deltroo deltroo at gmail.com
Thu Jan 5 23:10:02 CET 2006


I've done something like this.

You should write a custom script for the authorization section, put
something like this in radiusd.conf

modules {
 .....
exec myscript  {
        program = "/path/to/myscript %{User-Name}"
	wait = yes
        input_pairs = request
        output_pairs = config
        packet_type = Access-Accept
	}
.....
}

authorize {
.....
pap
chap
myscript
......
}


Assuming it's a shell script, it has do this:
- retrieve the parameters of the Access-Request. User-Name is passed
as an argument, other attributes can be access from the environment
variables or passed as addition myscript arguments
- then call the cgi with the approriate parameters using curl
- if the user exists, the cgi should return the Password XXXXXX to
myscript (I'm assuming PAP/CHAP is used for authentication)
- then myscript will write Password ="XXXXX" to stdout (it will make a
config attribute for freeradius) and then exit(0)
- if the cgi says that the user does not exits. Exit(0) without
writing anything to stdout. This way other authorization modules may
try to find the user.

If the user really does not exist anywhere, the access-reject will be
decided during PAP/CHAP authentication. (a user with no password = >
reject)

Yannick Deltroo

On 1/5/06, Susana Macias <susana_macias12 at yahoo.es> wrote:
>
> Thanks a lot Alan,
>
> I would like to explain what I am trying to develop. If someone has any
> advise, please tell me. This is my scenario:
>
> Until now, we have a RADIUS server (RADIUS PSI) which only receives
> Access-Request packets.
>
> Also we have a CGI application located in the URL http://X.Y.Z.W:8080/nucleo
> This application receives a set of parameters as an URL encoded string (all
> characters that are not a-z, A-Z or 0-9 are converted to their "URL escaped"
> version) with this form:
> Attribute1=Value1&Attribute2=Value2... (where Attribute1,
> Attribute2... and Value1,Value2... are the differents Attribute/Value pairs
> obtained from the Access-Request packet)
> The CGI application consults a remote database (and normally authenticate
> the user using the telephone number; although there are other variants).
>
> According to the response obtained from the remote resource, the RADIUS
> server adds differents Attribute/Value pairs to the reply list, and always
> reply with an Access-Accept packet (whether or not the CGI application
> authenticate the user successfully)
>
> Now, we want to change to a FreeRadius server.
>
> I only want to call the remote resource (using th! e libcurl library)
> passing it  the appropiates parameters and collect the information returned
> by it in order to create the reply list. As the CGI application performs the
> authorize and authenticate activities I am a little embarrassed to say  that
> I am not sure which function should I implement (authorize or authenticate).
>
> Thank you very much in advance
>
> Best wishes,
> Susana
>
>
>
>
>
> ----- Original Message -----
> From: "Alan DeKok"
> To: "FreeRadius users mailing list"
> Sent: Tuesday, January 03, 2006 4:31 PM
> Subject: Re: authorize and authenticate methods ina custom module
>
>
> > Susana Macias wrote:
> > > I have started working with the RADIUS protocol (and with FreeRadius
> > > in particular) three weeks ago. Congratulations for the product, it is
> > > really powerful!
> >
> > Thanks.
> >
> > > But, when are the authorize() and authenticate() methods called?
> >
> > When a packet comes in. See doc/aaa.txt
> >
> > > Is it necessary to include in the radiusd.conf the name of the
> > > instance (of the new module created) in the authorize section in order
> > > to call its authorize() method?
> >
> > Yes.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
>
>
>
>  ________________________________
>
> Correo Yahoo!
> Comprueba qué es nuevo, aquí
> http://correo.yahoo.es
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list