On 11/24/2012 08:40 PM, Hoggins! wrote:
I don't know if I understand the process correctly : as far as I understand, an authentication request is handled successively by the listed modules in the authorize {} section, right ?
So, now that I figured that I have to use PAP as phase2, I can have the cleartext password. But I don't know how I can provide it to the PAP module : it complains that no "known good" password had been found for the user.
What should my executed program return to say that the user is granted access ?
It sounds like you're still a bit confused about what the *client* sends, versus what the *server* knows. In your original email, you said you were doing 802.1x against a wi-fi point, using certificates and credentials. However, you *didn't* specify what EAP methods your clients are using. In RADIUS, the *client* chooses the authentication method, and the authentication method defines: 1. What the client sends 2. What the server needs to know What EAP method(s) are you using? See this URL for more info: http://deployingradius.com/documents/protocols/compatibility.html And more specifically: http://deployingradius.com/documents/protocols/oracles.html If you are using an "exec" script, you are using an "oracle". It can only authenticate a user based on what the *client* sends, and unless you are using a PAP-based method on the client, the client doesn't send a password. What you want might be impossible. Regards, Phil