custom auth script just for pap

[Alan DeKok]

On Nov 16, 2018, at 8:54 AM, Christian Salway via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I have read all 58 pages of the Technical Guide and scanned through the "main page" (which is basically a copy).
> 
> I still don't know how to implement a custom authorisation.
> 
> What I am trying to achieve is to:
> 
> a) log in with eap-mschapv2 and only if Access-Accept, run a custom script to do an MFA which could cause the result to become an Access-Reject.
> b) log in with pap and run a custom auth script (which does MFA) which results in an access-Accept or Reject.
> 
> I couldn't find anywhere in the documentation to help me with this.  Could you point me to the page?  I think I understand that it is probably best done in the Authenticate section

  There is no documentation that says "how to implement Christian Salways configuration". 

  You have to put the pieces together yourself.  The RADIUS ecosystem is complex enough that it is *impossible* to give guides for every possible thing that everyone could possibly want to do.

 There *is* documentation that says:

a) how to check for things

b) how to do things

  I gave you an example of how to check for User-Password (i.e. PAP), and do something.  If you read the configuration and examples, you will see that there is detailed documentation for how to run external programs.  See the "exec" module.

  Then, put the two pieces together.  "If user password, run my custom exec module".

  Yes, I could give you line by line instructions for how to do this.  And yes, I could spend *24 hours a day* doing that for people.  And yes, you would not learn anything.  And yes, you would be unable to maintain the system you built.

  This is not just me being obtuse.  This is me insisting that you *understand* not only how to configure the server, but also how to *solve problems*.   Just asking questions on the mailing list isn't an option.

  Alan DeKok.