Auth-Type Perl instead of Auth-Type EAP?

Josh Richard jrichar4 at d.umn.edu
Fri Feb 25 18:52:22 CET 2011 

Hello list,

After a bit of digging, I would like to ask a question to ensure this
idea is even possible.
:)

I am running FR 2 on Debian.

What I would like to do is have a WPA2 PEAP/MS_ChapV2 Cisco wireless
SSID hook into the FR server above.

The FR server currently is using rlm_perl to handle authentication and
this does work with FR running with -x and a client test using
radtest:

Sending Access-Request of id 184 to <ip> port 1812
	User-Name = "jrichar4"
	User-Password = "removed"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 10
rad_recv: Access-Accept packet from host <ip> port 1812, id=184, length=20

on the server I see:

rlm_perl: Added pair User-Name = jrichar4
rlm_perl: Added pair User-Password = <removed>
rlm_perl: Added pair NAS-IP-Address = 127.0.1.1
rlm_perl: Added pair NAS-Port = 10
rlm_perl: Added pair Crypt-Password = <removed>
rlm_perl: Added pair Auth-Type = Perl

I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius
to proxy the lookup to a different production FR server containing the
set of all users.  Neat.
I hope to use this server to flip VLANs using
$RAD_REPLY{'Tunnel-Private-Group-ID'} based on an eventual db lookup
to control wireless machine infections without mutzing with an
existing server.

When the SSID is wired in, we see this:

[peap] Got inner identity 'jrichar4'
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
rlm_perl: Added pair User-Name = jrichar4
rlm_perl: Added pair EAP-Message = 0x0206000c016d736865746b61
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Crypt-Password = *
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2

I would prefer the use Auth-Type = Perl in the EAP inner tunnel.  Is
this possible?  I am hoping something simple is amiss as this is close
to working!

I have only:
DEFAULT Auth-Type = Perl
in users.

In inner tunnel I have:
authenticate {
 ....
   Auth-Type Perl {
    perl
  }
...
 eap
}

Do I need to overload anything in eap.conf?

Thank you all and kind regards,

Josh Richard
University of Minnesota Duluth
USA

More information about the Freeradius-Users mailing list