Adding Cleartext-Password for EAP requests (new module development)
Hello, I am trying to develop a freeradius module for authorization with OpenIAM and the module works fine with PAP and EAP-TTLS with PAP. Is there a way to decode the EAP packet and access the User-Password attributes within the mod_authorize method of my module or using an unlang policy? Currently, EAP-TTLS wth PAP only woks because when the request is tunneled eap_ttls copy all attributes but with MS-CHAP and others are not working due to missing Cleartext-Password. Thank you, Suneth.
On Aug 11, 2021, at 9:51 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
I am trying to develop a freeradius module for authorization with OpenIAM and the module works fine with PAP and EAP-TTLS with PAP. Is there a way to decode the EAP packet and access the User-Password attributes within the mod_authorize method of my module or using an unlang policy?
No. It's impossible.
Currently, EAP-TTLS wth PAP only woks because when the request is tunneled eap_ttls copy all attributes but with MS-CHAP and others are not working due to missing Cleartext-Password.
Yes. It's impossible to get the clear-text password from MS-CHAP. Alan DeKok.
Hi Alan, Thank you for the swift response, During authorization, my module knows the Cleartext-Password user has submitted to send towards OpenIAM, Is there a way to add that to the request. Suneth. On Wed, Aug 11, 2021 at 7:24 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 11, 2021, at 9:51 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
I am trying to develop a freeradius module for authorization with OpenIAM and the module works fine with PAP and EAP-TTLS with PAP. Is there a way
to
decode the EAP packet and access the User-Password attributes within the mod_authorize method of my module or using an unlang policy?
No. It's impossible.
Currently, EAP-TTLS wth PAP only woks because when the request is tunneled eap_ttls copy all attributes but with MS-CHAP and others are not working due to missing Cleartext-Password.
Yes. It's impossible to get the clear-text password from MS-CHAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Aug 11, 2021, at 9:57 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
During authorization, my module knows the Cleartext-Password user has submitted to send towards OpenIAM, Is there a way to add that to the request.
The server comes with plenty of API documentation, and thousands of lines of code. I suggest going through it and reading it. If your module is going to be Open Sourced, then we can add it to FreeRADIUS, and help to maintain it. If the module is proprietary, then you're getting paid to develop it, and asking us to help you for free. Alan DeKok.
I have gone through the code and the documentation but no luck. The module can be open sourced because it adds the support for authorization from a RESTful API and parses the response based on the JSON/XML fields, finally authorizes the request. I can contribute as well. On Wed, Aug 11, 2021 at 7:30 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 11, 2021, at 9:57 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
During authorization, my module knows the Cleartext-Password user has submitted to send towards OpenIAM, Is there a way to add that to the request.
The server comes with plenty of API documentation, and thousands of lines of code. I suggest going through it and reading it.
If your module is going to be Open Sourced, then we can add it to FreeRADIUS, and help to maintain it. If the module is proprietary, then you're getting paid to develop it, and asking us to help you for free.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Aug 11, 2021, at 10:06 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
I have gone through the code and the documentation but no luck.
There are literally hundreds of examples of adding attributes to a request. Just pick a module and read it.
The module can be open sourced because it adds the support for authorization from a RESTful API and parses the response based on the JSON/XML fields, finally authorizes the request.
There's already a REST module which does that. Why is there a need for a new module? Alan DeKok.
REST module works based on the HTTP response code and the response body needs to be in a specific format if I am not mistaken (Please correct me if I am wrong). This module will use a config similar to below where regex and json-c pointer support is added to evaluate the response body. openiam { connect_uri = " http://officedepotpoc.openiam.com/idp/rest/api/auth/public/login" http_method = "POST" connect_timeout = 5000 http_headers = '{"Host" : "freeradius.local", "Accept": "application/json", "Content-Type" : "application/json" }' payload = '{ "login" : "%{User-Name}" , "password" : "%{User-Password}" }' verify_status = '{"/status" : 200, "/error" : false, "/errorList" : "^null$" ,"/tokenInfo/authToken" : ".*", "/passwordExpired" : false, "/possibleErrors" : "^null$" }' reply_avp_map = '{ "Cisco-AVPair" : "/tokenInfo/authToken" }' } On Wed, Aug 11, 2021 at 7:38 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 11, 2021, at 10:06 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
I have gone through the code and the documentation but no luck.
There are literally hundreds of examples of adding attributes to a request. Just pick a module and read it.
The module can be open sourced because it adds the support for authorization from a RESTful API and parses the response based on the JSON/XML fields, finally authorizes the request.
There's already a REST module which does that. Why is there a need for a new module?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Aug 11, 2021, at 10:12 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
REST module works based on the HTTP response code and the response body needs to be in a specific format if I am not mistaken (Please correct me if I am wrong).
The response needs to be json. Alan DeKok.
# The response format adds three optional fields: # - do_xlat If true, any values will be xlat expanded. Defaults to true. # - is_json If true, any nested JSON data will be copied to the attribute # in string form. Defaults to true. # - op Controls how the attribute is inserted into the target list. # Defaults to ':='. # { # "<attribute0>":{ # "is_json":<bool>, # "do_xlat":<bool>, # "op":"<operator>", # "value":[<value0>,<value1>,<valueN>] # }, # "<attribute1>":"value", # "<attributeN>":[<value0>,<value1>,<valueN>] # } This format cannot be received in the case Iam working on On Wed, 11 Aug 2021 at 19:48, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 11, 2021, at 10:12 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
REST module works based on the HTTP response code and the response body needs to be in a specific format if I am not mistaken (Please correct me
if
I am wrong).
The response needs to be json.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On Aug 11, 2021, at 10:24 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
This format cannot be received in the case Iam working on
OK. The FreeRADIUS API is large and complex. You can build the doxygen API docs via: cd doc/source make And then open "html/index.html" from that directory. Alan DeKok.
Let me go through thank you for your valuable time Alan, appreciate! On Wed, 11 Aug 2021 at 19:59, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 11, 2021, at 10:24 AM, Suneth Kariyawasam <sunethnk@gmail.com> wrote:
This format cannot be received in the case Iam working on
OK.
The FreeRADIUS API is large and complex. You can build the doxygen API docs via:
cd doc/source make
And then open "html/index.html" from that directory.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (2)
-
Alan DeKok -
Suneth Kariyawasam