Authenticate to an external database
Hi If someone can help me I'll be very greatful. I have a router with coova-chilli and openwrt, a freeradius virtual server and i have a server with the users database. I need authenticate the users, im trying with the rlm_rest and eap_tls, im in the correct way ? My doubt is because freeradius server not know the users credentials. These ones are stored in an existing database in an external server. Every user need to install a CA ? Thank you.
On Jun 19, 2016, at 9:23 PM, Mauricio <mauri5000@hotmail.com> wrote:
I have a router with coova-chilli and openwrt, a freeradius virtual server and i have a server with the users database.
What kind of database? That matters.
I need authenticate the users, im trying with the rlm_rest and eap_tls, im in the correct way ?
EAP-TLS doesn't do password checking. So probably not. But the better question is what are you trying to do? You've hit on a solution "EAP-TLS + REST", but you haven't stated what the problem is.
My doubt is because freeradius server not know the users credentials. These ones are stored in an existing database in an external server.
The server knows how to check credentials against an external database. It's done this since 1999.
Every user need to install a CA ?
For EAP-TLS, yes. Alan DeKok.
El 20/06/16 a las 10:13, Alan DeKok escribió:
On Jun 19, 2016, at 9:23 PM, Mauricio <mauri5000@hotmail.com> wrote:
I have a router with coova-chilli and openwrt, a freeradius virtual server and i have a server with the users database. What kind of database? That matters. A postgress database of students from a college, that already has it own schema I need authenticate the users, im trying with the rlm_rest and eap_tls, im in the correct way ? EAP-TLS doesn't do password checking. So probably not.
But the better question is what are you trying to do? You've hit on a solution "EAP-TLS + REST", but you haven't stated what the problem is. The problem is that the database is located in an external server and is not a freeradius schema's database. i mean, in the database there is no table radcheck, etc.
My doubt is because freeradius server not know the users credentials. These ones are stored in an existing database in an external server. The server knows how to check credentials against an external database. It's done this since 1999. how ? Every user need to install a CA ? For EAP-TLS, yes.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 20, 2016, at 3:07 PM, Mauricio <mauri5000@hotmail.com> wrote:
A postgress database of students from a college, that already has it own schema
You can edit the SQL queries to use that schema. Can you: a) SELECT by user-name from the RADIUS packet? and b) get a password in some format? Yes: write a SELECT statement to do that: update control { Cleartext-Password := "%{select password from table where name=%{User-Name}" } Or, no: you can't get the password from the database, so what you want to do is impossible.
The problem is that the database is located in an external server and is not a freeradius schema's database. i mean, in the database there is no table radcheck, etc.
That's fine. But are you doing EAP-TLS? If so, there are no passwords in the RADIUS packets. So you can't check passwords against an external database. Alan DeKok.
El 20/06/16 a las 16:17, Alan DeKok escribió:
On Jun 20, 2016, at 3:07 PM, Mauricio <mauri5000@hotmail.com> wrote:
A postgress database of students from a college, that already has it own schema You can edit the SQL queries to use that schema.
Can you:
a) SELECT by user-name from the RADIUS packet? and
b) get a password in some format?
Yes: write a SELECT statement to do that: Yes i can, but not directly, i am using a web service that return the credentials and the http status code from the database server to freeradius server by rlm_rest.
update control { Cleartext-Password := "%{select password from table where name=%{User-Name}" }
Or, no: you can't get the password from the database, so what you want to do is impossible.
The problem is that the database is located in an external server and is not a freeradius schema's database. i mean, in the database there is no table radcheck, etc. That's fine.
But are you doing EAP-TLS? If so, there are no passwords in the RADIUS packets. So you can't check passwords against an external database.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Mauricio