Phil Meech wrote:
I'm running version 1.18 currently on Ubuntu 2.6.24-19-server;
There is no version 1.18, and no version 1.1.8, either.
configured to use MYSQL for all auth and accounting requests. I have been asked to move the password verification away from MySQL and use an external username/password DB (managed by another company), for which my only method of access is an http API (given a username and password the API returns either 1 or 0).
That's horrible. And it won't work for most EAP types.
All attributes will still be held in the current MySQL freeradius DB; and all the users that exist in the API DB will also exist in the same current MySQL DB. The password is passed as PAP through to freeradius currently from the NAS devices, and the API also expects a plaintext password.
If all you're doing is PAP, it's ugly, but perhaps functional.
I was thinking I could use the perl module to achieve this; but am a little lost with where to start (writing the perl script is fine). I guess the point of my post is how to keep all the attributes in MySQL and only offload the password to the API; and where this change would fit in to the radiusd.conf file?
Write a Perl script to do the authentication from the command line. Hard-code the username/password in the script to start. Once it works, change the username && password to use $RAD_REQUEST{'User-Name'}, and ${RAD_REQUEST{'User-Password'}. Then, configure the Perl module to use your script, and have the "check http" function be called from the authenticate hook. Alan DeKok.