On Fri, Sep 21, 2012 at 3:24 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
The ONLY thing you can do is *if* you are using EAP-TTLS/PAP on the clients and *then* you can use a script, as follows:
sites-enabled/inner-tunnel:
authorize { ... if (User-Password) { # this is a PAP request, pass to our script update control { Auth-Type := myscript
Since the OP's script (the one he posted last anyway) checks something like "if ($password == 'bar')", I assume he has passwords in clear text, so it might be possibe to use something like authorize { ... update control { Cleartext-Password := "%{exec:/path/to/the/script args}" } ... } ... and then let the default pap/chap module handle the authorization. Of course it depends on whether or not the passwords are available as cleartext/nt-hash, and the script needs to be modified to print the password instead of "Access-Accept" like it does currently. -- Fajar