hi, today i've written an python module for use with rlm_python and it works great for clear-text requests. but i dont know how to handle ntlm/mschap requests. my current config looks like this: authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { otpme_ntlm } Auth-Type OTPme { otpme } } authorize { eap if (!control:Auth-Type) { update control { Auth-Type := OTPme } } } mschap otpme_ntlm { ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" } python otpme { module = freeradius mod_instantiate = ${.module} func_instantiate = instantiate mod_detach = ${.module} func_detach = instantiate mod_authenticate = ${.module} func_authenticate = authenticate } any help is appreciated.... the2nd On 2015-01-18 15:55, Alan DeKok wrote:
On Jan 18, 2015, at 6:18 AM, the2nd@otpme.org wrote:
ok. my script returns "Accept" and "Reject" and it works without any problems. but is it okay to use it this way to authenticate users with an external script? are there any drawbacks using it this way and not using the script/exec module?
You’re putting passwords on the command-line, where everyone can see them. That’s not always a good idea. And it’s slow.
i also found some hints about rlm_python and as my script is written in python it may be a good idea using rlm_python. are there any benefits, beneath better performance, using rlm_python?
rlm_python will likely be faster than executing a separate script.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html