Auth-Type Perl instead of Auth-Type EAP?

Alan DeKok aland at deployingradius.com
Sat Feb 26 07:57:02 CET 2011


Josh Richard wrote:
> What I would like to do is have a WPA2 PEAP/MS_ChapV2 Cisco wireless
> SSID hook into the FR server above.

  OK...

> The FR server currently is using rlm_perl to handle authentication and

  Please, no.  Authentication includes things like EAP.  Doing EAP in
Perl is not a good idea.

> I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius
> to proxy the lookup to a different production FR server containing the
> set of all users.  Neat.

  Uh... that is an incredibly bad idea.  FreeRADIUS already does
proxying.  Why do it in Perl?  You're going to get it wrong.

> When the SSID is wired in, we see this:
> 
> [peap] Got inner identity 'jrichar4'
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> rlm_perl: Added pair User-Name = jrichar4
> rlm_perl: Added pair EAP-Message = 0x0206000c016d736865746b61
> rlm_perl: Added pair EAP-Type = Identity
> rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
> rlm_perl: Added pair Crypt-Password = *
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair Proxy-To-Realm = LOCAL
> rlm_perl: Added pair EAP-Type = MS-CHAP-V2
> 
> I would prefer the use Auth-Type = Perl in the EAP inner tunnel.  Is
> this possible? 

  Yes.  See raddb/sites-enabled/inner-tunnel

> Do I need to overload anything in eap.conf?

  No.

  But in general, this is a terrible idea.  FreeRADIUS has proxying and
DB plugins.  Redoing all of that in Perl is asking for un-needed complexity.

  Alan DeKok.



More information about the Freeradius-Users mailing list