Thanks so much for taking a look... See comments below: On Jan 18, 2013, at 3:04 PM, Alan DeKok <aland@deployingradius.com> wrote:
Joseph wrote:
What we would like to do is this:
Take this request:
User-Name = "6064191111@evdo.myawi.net" CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 NAS-IP-Address = 10.130.2.1 CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 3GPP2-Attr-60 = 0x00000001 3GPP2-Attr-61 = 0x0106000000010209a0000029275c41
That looks like a series of TLVs to me. i.e. not a password. There seems to be a 32-bit integer, followed by a 64-bit integer.
And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password.
I'm not sure what that means. "convert it to the password we want"?
Instead of using Chap which we are getting above, we want to use the "3GPP2-Attr-61 = 0x0106000000010209a0000029275c41" value which we can convert to the device serial number. In our DB we store the device serial number. The devices chap info most of them time might be tampered with or wrong. So we wanted our EXEC script to replace the chap user/pass with the new PAP user/password.
Here is the perl code that we run prior to the pap module:
$retattr .= "Cleartext-Password := $meid"; $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; $retattr .= ", Auth-Type := PAP ";
Well, that won't work.
The Cleartext-Password is the *known good* password. The PAP module needs a User-Password, too. The User-Password is the password as entered by the user.
Should we be setting Cleartext-Password and the User-Password?
If you're going to force authentication success, why not just set "Auth-Type := Accept"? That avoids all of the mangling of passwords (chap and pap)
We still want radius to run through the normal SQL process to verify that the above serial number is valid.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--regards, Joseph