non-standard authentication

Gary Gatten Ggatten at waddell.com
Wed Feb 23 22:23:58 CET 2011 

I'm CERTAINLY no expert in this, but I can hopefully point you in the right direction.

There is some doc within the FR install (and the Wiki I think) about writing your own "modules" - I think this is what you want.  Although, I think you can do pretty much anything with rlm_perl and unlang, but nonetheless - yes, you can write your own auth module.  I don't thik it would be a separate "listener", but just another module FR uses to auth RADIUS requests.  Ie:  instead of FR using RLM_LDAP, EAP, unix, ntlm_auth, etc. - it would use "Travis_Auth".

Not sure if that helps.  If you can't find doc on "modules" LMK and I'll see if I can track it down for you.  From what I remember it's not rocket science, but not trivial either.

G

________________________________
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Travis Dimmig
Sent: Wednesday, February 23, 2011 2:56 PM
To: FreeRadius users mailing list
Subject: non-standard authentication

I have a problem scenario where I need to be able to handle the authentication of users myself.  I am looking into using either rlm_perl or (preferably) rlm_jradius to be able to write my own piece to do authentication.  I believe this is possible with either module (please correct me if I'm wrong on that, it would stop me in my tracks).  What I need to know is if when writing my own authenticator there is a terribly complicated process of requests and responses that I have to honor in order to make the supplicant happy, or if I can trivially accept or reject based on the parameters of my business problem.  As a test case, I wrote a Java class for rlm_jradius that just replaced reject packets with accept packets, to see if it would work.  I found that if I hooked into it at the 'post_auth' stage it didn't matter what my reply was, freeRadius remembered that auth had failed and stripped all the attributes from the response packet.

That was long winded, here is a summary of my questions.  Can I write my own piece to do authentication?  Where in the freeRadius process do I list that listener?  Is there a series of requests and responses that I have to honor?

-Travis






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110223/56e98c50/attachment.html>

More information about the Freeradius-Users mailing list