Johan Meiring wrote:
To sum up my understanding of how freeradius works.
authorise = select auth type authenticate = run the appropriate auth method
And post-auth: do any post-authentication processing.
Currently I do the following
authorise = set Auth-Type to perl authenticate = run my perl stuff i.e. check the password check the users cap add some reply items return RLM_MODULE_OK/REJECT
A friend of mine mentioned that I would not be able to handle CHAP, should I ever want to one day, as I am authenticating the password myself using perl.
Yes.
Now I am trying to achieve the following
authorise = leave auth type for Freeradius to decide set the cleartext password using perl
OK... a database would be better, but fine.
authenticate = leave Freeradius to do auth using PAP/CHAP check the cap using perl and possibly reject the user return RLM_MODULE_OK/REJECT
I basically want freeradius to do the PAP/CHAP stuff and AFTER that I want to do things like check the users CAP.
Use post-auth.
The reason I want to do this is because some of my custom checking (e.g. the CAP) can be hard on my sql database. I do not want to go to the trouble of a sql select through 10000's of accounting records, until I at least know the password is OK.
I therefore want to influence the authentication decision (using rlm_perl) AFTER freeradius has performed the PAP/CHAP/EAP authentication (and it was OK).
Does what I want to do make sense? Is this possible?
Yes, and yes. Alan DeKok.