external script problem

Fajar A. Nugraha list at fajar.net
Thu Sep 20 23:03:35 CEST 2012


On Fri, Sep 21, 2012 at 3:24 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> The ONLY thing you can do is *if* you are using EAP-TTLS/PAP on the clients
> and *then* you can use a script, as follows:
>
> sites-enabled/inner-tunnel:
>
> authorize {
>   ...
>   if (User-Password) {
>     # this is a PAP request, pass to our script
>     update control {
>       Auth-Type := myscript

Since the OP's script (the one he posted last anyway) checks something
like "if ($password == 'bar')", I assume he has passwords in clear
text, so it might be possibe to use something like

authorize {
     ...
     update control {
       Cleartext-Password := "%{exec:/path/to/the/script args}"
     }
     ...
}

... and then let the default pap/chap module handle the authorization.
Of course it depends on whether or not the passwords are available as
cleartext/nt-hash, and the script needs to be modified to print the
password instead of "Access-Accept" like it does currently.

-- 
Fajar


More information about the Freeradius-Users mailing list