Checking password and doing something else during authenticate...
Johan Meiring
jmeiring at pcservices.co.za
Thu Feb 11 20:44:12 CET 2010
Hi,
Let me start off with that a have a perfectly working freeradius setup
authenticating a bunch of hotspots (coova-chilli). Thanks freeradius!!!
All is done using custom code in rlm_perl during authentication.
I check the password
I check the users cap
I check a bunch of other stuff
I accept or reject the user
I am busy expanding services and can not figure out the following.
To sum up my understanding of how freeradius works.
authorise = select auth type
authenticate = run the appropriate auth method
Currently I do the following
authorise = set Auth-Type to perl
authenticate = run my perl stuff
i.e. check the password
check the users cap
add some reply items
return RLM_MODULE_OK/REJECT
A friend of mine mentioned that I would not be able to handle CHAP, should I
ever want to one day, as I am authenticating the password myself using perl.
Now I am trying to achieve the following
authorise = leave auth type for Freeradius to decide
set the cleartext password using perl
authenticate = leave Freeradius to do auth using PAP/CHAP
check the cap using perl and possibly reject the user
return RLM_MODULE_OK/REJECT
I basically want freeradius to do the PAP/CHAP stuff and AFTER that I want
to do things like check the users CAP.
The reason I want to do this is because some of my custom checking (e.g. the
CAP) can be hard on my sql database. I do not want to go to the trouble of
a sql select through 10000's of accounting records, until I at least know
the password is OK.
I therefore want to influence the authentication decision (using rlm_perl)
AFTER freeradius has performed the PAP/CHAP/EAP authentication (and it was OK).
Does what I want to do make sense?
Is this possible?
Thanks!
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
More information about the Freeradius-Users
mailing list