Sample code for external program w/ EAP?

Phil Mayers p.mayers at imperial.ac.uk
Sat Jan 29 12:23:06 CET 2011


On 01/28/2011 06:34 PM, McCann, Brian wrote:


>
> Now, here's my exact problem and explain "why" I need to authenticate
> (not authorize) in my external program (vs ntlm_auth, the users file,
> ldap, sql, etc).  I have an XMLRPC-like server that is accessed over
> https, and takes a hash of the username and a hash of the password,
> and will return output granting or denying the user.  Since
> freeradius doesn't know how to talk to the XMLRPC server, I need my
> external helper.

Are you aware that this will severly limit your options with respect to 
EAP and windows clients?

Only EAP-TTLS/PAP gives you the username & password. Windows clients 
only support EAP-TLS (no username/password) or EAP-PEAP/MS-CHAPv2 using 
the built-in supplicant. You will never see a password from a windows 
client; just an mschap challenge/response pair. Unless your XMLRPC 
handler can process those, you will not be able to authenticate windows 
clients without installing extra supplicant software.

Anyway, you probably want to do something like this in 
/etc/raddb/sites-availble/inner-tunnel:

authorize {
   ...
   pap
}
authenticate {
   Auth-Type PAP {
     python
   }
}

...then write the "authenticate" handler of your python module to return 
the appropriate code.



More information about the Freeradius-Users mailing list