On Feb 6, 2020, at 12:35 PM, Vertigo Vertigo <vertigo.altair@gmail.com> wrote:
I want to authorize users that connect to AP with my external script. Because I have multiple data source ( multiple Active Directory, another API etc.) and I want to make authorization by using these data sources as I want.
FreeRADIUS can do some pretty complex things with unlang. I'd really recommend using that.
That's why I'm using an external script to authorization. I updated /etc/raddb/sites-enabled/default's authorize section;
That's good. But...
When I run "radtest" with PAP method, everything is OK, I have "User-Name" and "User-Password" attributes, I'm able to authorize users etc. However, when I make tests with an AP with 802.1x EAP method, , there is no cleartext password (User-Password) and I cannot make authorization.
Exactly.
My question is how can I make authorization without "User-Password" attribute.
It's impossible.
As I said, I have cleartext passwords in my data sources, so I can hash them and compare with other hash that a client sent. How can I perform this operation with EAP, CHAP, MSCHAP etc. methods?
You will need to re-implement all of EAP, CHAP, and MS-CHAP in your data source. Or, treat the data source as a *database*. And have it supply the clear text password to FreeRADIUS. It will then do all of the necessary calculations. In short: FreeRADIUS is an authentication server, not a database. And a database isn't an authentication server. They do very different things. Alan DeKok.