Hi Peter, Thanks, that was the missing part for me - I think. Just let me verify that I got you correctly: 1. My OpenSER will send a request to FreeRadius including the full digest information. 2. Once the request in intercepted by FreeRadius, my rlm_perl will simply need to ask the TCP server for the password of the user. 3. Once that password had been retrieved, I'll simply set the RAD_REPLY{'Cleartext-ssword'} to the password that was retrieved from the TCP server. 4. Once the rlm_perl script returns with the OK setting, the rest will be handled by the digest module. Have I got it right this time? sorry for being a bit of a pain. Z2L ----- Original Message ----- From: "Peter Nixon" <listuser@peternixon.net> To: freeradius@zap2link.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, July 25, 2007 5:05:02 PM (GMT+0200) Asia/Jerusalem Subject: Re: rml_perl question Several people have already told you this, but I am going to have another go at it. You want to do Digest Authentication. That great. FreeRADIUS knows how to do it. All you have to do is supply the Cleartext-Password. You tell us that you have some propriatary system which holds your passwords that you need to access over a TCP socket. Great. Feel free to do so. Basically you need to: a) Have the digest module enabled in the _authorize_ AND _authenticate_ sections of radiusd.conf b) Get the password from your backend using perl and return it to FreeRADIUS in the _authorize_ section as: PaCleartext-ssword := "yoursupersecretpassword" This is ALL you should have to do! Do not do anything else! Please. Just dont! Cheers Peter On Wed 25 Jul 2007, FreeRadius-ML wrote:
Ok,
What I'm trying to do is have FreeRadius perform its AAA functions again a PERL based backend, which reads the user information from a proprietary system - via a TCP interface.
The authorization section and the authenticate section both have PERL enabled in them.
(I removed the remarks for easier reading) - the first digest is commented, but right after perl there is another one. ---------- SNIP ------------ authorize { preprocess auth_log # attr_filter # chap # mschap # digest # IPASS # suffix # ntdomain # eap # files digest perl # sql # etc_smbpasswd # ldap # daily # checkval # pap } --------------------------- You are correct in regards to the authentication section (see below), I missed that one: --------- SNIP ------------ authenticate { # Auth-Type PAP { # # pap # # } # Auth-Type CHAP { # # chap # # } # Auth-Type MS-CHAP { # # mschap # # } # digest # pam unix # Auth-Type LDAP { # # ldap # # } # eap perl } ---------------------------
I may be going about it all wrong, which I'm not ruling out. If you have something specific to point me at, please do.
Regards, Z2L ----- Original Message ----- From: "A L M Buxey" <A.L.M.Buxey@lboro.ac.uk> To: freeradius@zap2link.com, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, July 25, 2007 2:12:55 PM (GMT+0200) Asia/Jerusalem Subject: Re: rml_perl question
Hi,
you dont have perl enabled in the authorise section of your config...you dont have digest enabled in your authorise or authenticate sections either. what are you trying to acheive?
-- Peter Nixon http://peternixon.net/