non-standard authentication

Gary Gatten Ggatten at waddell.com
Thu Feb 24 00:32:21 CET 2011 

Again, no expert here, but as I understand it you simply "plugin" your auth process/module (Travis_Auth) to an existing FR Auth method.  Travis_Auth does whatever logic you wish and returns Accept, Reject, OK, whatever - I'm not sure what the return option are or NEED to be.

In your case I THINK you'd mess with the eap.conf and / or inner-tunnel.  Those are setup to handle anything that uses EAP stuff, which I assume your WPA2 gear will use?

We use the "WPA2-Enterprise" for our Aruba wireless, and it uses NTLM_AUTH as the backend auth method.  Works good so far.  Some day I'll get it integrated with LDAP for DVLANs, HOPEFULLY....

G


-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Travis Dimmig
Sent: Wednesday, February 23, 2011 4:49 PM
To: FreeRadius users mailing list
Subject: RE: non-standard authentication

I mixed up some terms between freeRadius and JRadius (my first attempt to accomplish this used rlm_jradius).  The term 'listener' is specific to what I was trying to accomplish with JRadius.  I also neglected to mention the important fact that I need to accomplish authentication specifically for WPA2, but without using ntlm_auth etc.  I basically want the ability to say "yes" or "no" to a WPA2 user based on rules that I define, hence my looking at rlm_perl and rlm_jradius, both let me write something of my own.  However, to use either of those with WPA2, I imagine I have to follow the 4-way handshake properly, or the supplicant will bark?

I realize that this is stepping a bit outside the realm of just freeRadius, but if anyone has information it would be extremely helpful.
	
-Travis

From: freeradius-users-bounces+tdimmig=impulse.com at lists.freeradius.org [mailto:freeradius-users-bounces+tdimmig=impulse.com at lists.freeradius.org] On Behalf Of Gary Gatten
Sent: Wednesday, February 23, 2011 3:24 PM
To: 'FreeRadius users mailing list'
Subject: RE: non-standard authentication

I'm CERTAINLY no expert in this, but I can hopefully point you in the right direction.

There is some doc within the FR install (and the Wiki I think) about writing your own "modules" - I think this is what you want.  Although, I think you can do pretty much anything with rlm_perl and unlang, but nonetheless - yes, you can write your own auth module.  I don't thik it would be a separate "listener", but just another module FR uses to auth RADIUS requests.  Ie:  instead of FR using RLM_LDAP, EAP, unix, ntlm_auth, etc. - it would use "Travis_Auth".

Not sure if that helps.  If you can't find doc on "modules" LMK and I'll see if I can track it down for you.  From what I remember it's not rocket science, but not trivial either.

G

________________________________________
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Travis Dimmig
Sent: Wednesday, February 23, 2011 2:56 PM
To: FreeRadius users mailing list
Subject: non-standard authentication

I have a problem scenario where I need to be able to handle the authentication of users myself.  I am looking into using either rlm_perl or (preferably) rlm_jradius to be able to write my own piece to do authentication.  I believe this is possible with either module (please correct me if I'm wrong on that, it would stop me in my tracks).  What I need to know is if when writing my own authenticator there is a terribly complicated process of requests and responses that I have to honor in order to make the supplicant happy, or if I can trivially accept or reject based on the parameters of my business problem.  As a test case, I wrote a Java class for rlm_jradius that just replaced reject packets with accept packets, to see if it would work.  I found that if I hooked into it at the 'post_auth' stage it didn't matter what my reply was, freeRadius remembered that auth had failed and stripped all the attributes from the response packet.

That was long winded, here is a summary of my questions.  Can I write my own piece to do authentication?  Where in the freeRadius process do I list that listener?  Is there a series of requests and responses that I have to honor?

-Travis

"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." 
________________________________________
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1204 / Virus Database: 1435/3463 - Release Date: 02/23/11

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

More information about the Freeradius-Users mailing list