New to FreeRadius (not to Radius) and need to know about capabilities.

[Dan Geist]

Greetings, all. I'm a new user that's looking at FreeRadius because of
some of it's features, but I'd like to figure out if it can replicate
what I'm currently doing before I start looking into a migration. My
current setup does the following (with openradius, mysql, perl, and a
PAM-securID module) on each packet arrival:

1) check an SQL db for the encryption key and tokenize everything (if
so, continue, else exit)

2) check to see if it's an accounting packet and log it (if so, then do
it then exit)

3) if it's anything else, check the SQL db to see if the username is
valid. (if so, continue, else exit)

4) execute a PAM check on the valid user with the credentials just
provided (which could be unix auth, securID, mysql, LDAP, whatever PAM
supports) (if authenticated, continue, else exit)

5) check to see if it's one of a short list of auth-only NASs (if so,
authenticate that user and exit, else continue)

6) do another SQL lookup to get the combination of VSA option values for
that unique username/nas pair and return the appropriate RAD-access
option along with the VSA options for that user/device combination
(return packet/VSAs and exit)

Now, I know that's a lot of info, but does FreeRadius have the
flexibility to be able to do something like this? The big things are
that it be able to do PAM auth on users and that it be able to return
VSAs based on a one-to-one relationship that's stored in a MySQL db.

Thanks.
Dan



-- 
Dan Geist | dan.geist at cox.com | (404) 269-6822
Cox Communications - Engineering Security