I am using a passwd module to authorize users.
No, you are using passwd module to store passwords.
First passwd module checks
It doesn't check anything - it returns the password stored for that user.
cisco_users file (format = "*User-Name:Cleartext-Password") and then passwd module must check cisco_groups file (format = "~Cisco-Group:*,User-Name"). However when passwd module checks the cisco_user file, it returns status "ok" even when user password (in request packet) doesnt match with cisco_user file.
As it should. As I mentioned before: it doesn't check passwords.
So i am able to distinguish users only by their User-Name, but i need to check their passwords as well.
Why? pap module does that.
I cannot figure out how to write that in my authorize section.
Perhaps because that is not authorization but authentication.
Later, if username and password matches an entry in my cisco_user file i will call cisco_group file and find to which group that user belongs to assign the right services.
Well, freeradius does that before. You can actually reject the user during authoriyation and not go for authentication at all.
currently my code looks like this:
passwd cisco_user_module { #filename = /etc/group filename = /usr/local/etc/raddb/cisco_users #format = "=Etc-Group-Name:::*,User-Name" format = "*User-Name:Cleartext-Password" hashsize = 100 ignorenislike = yes allowmultiplekeys = yes delimiter = ":" }
authorize { cisco_user_module if(notfound){ update control{ Auth-Type := Reject } update reply{ Reply-Message := "Access denied, sorry!" } } elseif(ok){ cisco_group_module } }
Make that just: authorize { cisco_user_module cisco_group_module pap } and than in post-auth Post-Auth-Type REJECT { update reply { Reply-Message := "Access denied, sorry!" } } Ivan Kalik Kalik Informatika ISP