update request {
User-Name := whatever
User-Password := wh4t3v3r
}
in the pre-proxy section work? No need for a module then... And if I may
ask, why would you need to modify name and password for proxying? If it's
just about cutting out realms, there is an excellent realm module to do
that for you.
Yes, I can do that for static modifications, but in my case I have to
split the password and extract N bytes from it, which is a One-time
password for 2 factor authentication. I have to receive AUTH_ACK from
main radius server using the original password and then process the
second authentication stage with a 2 factor authentication manager using
that N bytes long OTP. (Connecting to 2FA server, sending OTP and
receiving result) This is why I need to do it in a module.
unlang can do WAY more than just static replacements. Use a regular
expression.
if ( %{request:User-Password} =~ (.*)(......) ) update request {
User-Password := %{2}
}
... or something close to that. My syntax may be imperfect, maybe someone can
provide a more bullet-proof/correct one.
This here is supposed to mean: if the password is at least 6 characters long,
change the password so that it only is those last six characters (%{1} would
be: only the first part, without the trailing OTP).
If it is less than six, this expression does nothing. I guess in your scenario
you would want to discard those outright, because they don't contain a valid
OTP. Add another rule for this case then. I'm ssuming your "N" to be = 6
because that's a common length for OTPs. Put more/less dots at the end of the
regexp if you have a different setup.
Thanks, You're right, unlang is a powerful tool. I just finished
reading it's man page. it has very interesting features. (accessing
run-time variables is wonderful). Your assumptions on my scenario is
almost true and I do believe that your suggestion (regex in unlang) can
completely remove any need for using a module in order to modify a
request. However, In this specific scenario, I need much more further
processing which should be done before I can decide to send a REJECT or
ACCEPT. For example, I have to send extracted OTP to a remote
authentication manager which it's answer would determine final
authentication result.
I know this is ugly. So, If I define my own attributes, is it necessary
for main RADIUS server (which we proxy to) to have modified dictionary
files ? or it will simply ignore those unknown attributes ?
It should. See RFC2865 section 5.26 and RFC5080 section 2.5 for details. But,
to be honest, the pragmatically best approach is: TRY IT. Define a VSA, send
it, and look what happens.
Thanks for references, according to these RFC's servers MUST ignore
unknown VSA. However, I think you're completely right, I need to
arrange a test case and see what would happen.