Checking password and doing something else during authenticate...
Hi, Let me start off with that a have a perfectly working freeradius setup authenticating a bunch of hotspots (coova-chilli). Thanks freeradius!!! All is done using custom code in rlm_perl during authentication. I check the password I check the users cap I check a bunch of other stuff I accept or reject the user I am busy expanding services and can not figure out the following. To sum up my understanding of how freeradius works. authorise = select auth type authenticate = run the appropriate auth method Currently I do the following authorise = set Auth-Type to perl authenticate = run my perl stuff i.e. check the password check the users cap add some reply items return RLM_MODULE_OK/REJECT A friend of mine mentioned that I would not be able to handle CHAP, should I ever want to one day, as I am authenticating the password myself using perl. Now I am trying to achieve the following authorise = leave auth type for Freeradius to decide set the cleartext password using perl authenticate = leave Freeradius to do auth using PAP/CHAP check the cap using perl and possibly reject the user return RLM_MODULE_OK/REJECT I basically want freeradius to do the PAP/CHAP stuff and AFTER that I want to do things like check the users CAP. The reason I want to do this is because some of my custom checking (e.g. the CAP) can be hard on my sql database. I do not want to go to the trouble of a sql select through 10000's of accounting records, until I at least know the password is OK. I therefore want to influence the authentication decision (using rlm_perl) AFTER freeradius has performed the PAP/CHAP/EAP authentication (and it was OK). Does what I want to do make sense? Is this possible? Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
Johan Meiring wrote:
To sum up my understanding of how freeradius works.
authorise = select auth type authenticate = run the appropriate auth method
And post-auth: do any post-authentication processing.
Currently I do the following
authorise = set Auth-Type to perl authenticate = run my perl stuff i.e. check the password check the users cap add some reply items return RLM_MODULE_OK/REJECT
A friend of mine mentioned that I would not be able to handle CHAP, should I ever want to one day, as I am authenticating the password myself using perl.
Yes.
Now I am trying to achieve the following
authorise = leave auth type for Freeradius to decide set the cleartext password using perl
OK... a database would be better, but fine.
authenticate = leave Freeradius to do auth using PAP/CHAP check the cap using perl and possibly reject the user return RLM_MODULE_OK/REJECT
I basically want freeradius to do the PAP/CHAP stuff and AFTER that I want to do things like check the users CAP.
Use post-auth.
The reason I want to do this is because some of my custom checking (e.g. the CAP) can be hard on my sql database. I do not want to go to the trouble of a sql select through 10000's of accounting records, until I at least know the password is OK.
I therefore want to influence the authentication decision (using rlm_perl) AFTER freeradius has performed the PAP/CHAP/EAP authentication (and it was OK).
Does what I want to do make sense? Is this possible?
Yes, and yes. Alan DeKok.
Alan DeKok wrote:
Johan Meiring wrote:
To sum up my understanding of how freeradius works.
authorise = select auth type
OK... a database would be better, but fine.
I assume sql module in authorise.
I basically want freeradius to do the PAP/CHAP stuff and AFTER that I want to do things like check the users CAP.
Use post-auth.
I was under the impression that you cannot override the auth decision in post auth. I'm sure i've read it somewhere on the list. Obviously not...... Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782
participants (2)
-
Alan DeKok -
Johan Meiring