On Thu, Apr 21, 2011 at 07:13:46PM +0530, ashwini b wrote:
I'm giving a detailed description of my problem here Im setting up 802.1x port based authentication using wire1x as supplicant and freeradius as the server.I have configured switch for 802.1x and using eap-tls as authentication protocol.freeradius is configured to authenticate the client with username and password. My problem is i want to sent a bit(P bit) along with this username which will be taken into account for the authentication.for this i planned to send the username as P<specialcharacter>UserName.and wire1x will send the username as usual.
So do you mean the username might look like "P0fred" or "P1bob" ?
Now at the freeradius side i have to seperate this new user name to P and UserName.and and make the authentication as(hypothetically): if(recieved (username,password)=(username,password)in clients.conf)&&bit P==1) { authenticate(return 0) }
So you're saying if the bit P==0 or the bit P is missing completely, then you should reject them? authorize { ... if (User-Name =~ /^P1(.*)$/) { update request { User-Name = "%{1}" } } else { reject } ... } But this seems a bit silly, if you have a custom supplicant which adds "P0" or "P1" to the front of the username, but you want "P0" always to fail. In that case, you might as well make the supplicant itself refuse to authenticate. Note also that there is no "username and password" stored in clients.conf. clients.conf contains just the source IP addresses of the RADIUS clients (the switches themselves, in the case of 802.1x authentication), and the shared secrets which the clients use to prevent spoofed RADIUS packets being sent.
I found that the username,password checking is done in auth.c file.i have to add 1 more condition to that.
No, you don't need to touch the C source. You can rewrite the username in the authorize section (which is also where you do any database lookups, to find things like the Cleartext-Password to compare against the password provided by the user) However, it sounds like it would repay you well to read some of the standard documentation for freeradius, as well as a primer on the RADIUS protocol itself, before proceeding further. HTH, Brian.