non-standard authentication
I have a problem scenario where I need to be able to handle the authentication of users myself. I am looking into using either rlm_perl or (preferably) rlm_jradius to be able to write my own piece to do authentication. I believe this is possible with either module (please correct me if I'm wrong on that, it would stop me in my tracks). What I need to know is if when writing my own authenticator there is a terribly complicated process of requests and responses that I have to honor in order to make the supplicant happy, or if I can trivially accept or reject based on the parameters of my business problem. As a test case, I wrote a Java class for rlm_jradius that just replaced reject packets with accept packets, to see if it would work. I found that if I hooked into it at the 'post_auth' stage it didn't matter what my reply was, freeRadius remembered that auth had failed and stripped all the attributes from the response packet. That was long winded, here is a summary of my questions. Can I write my own piece to do authentication? Where in the freeRadius process do I list that listener? Is there a series of requests and responses that I have to honor? -Travis
I'm CERTAINLY no expert in this, but I can hopefully point you in the right direction. There is some doc within the FR install (and the Wiki I think) about writing your own "modules" - I think this is what you want. Although, I think you can do pretty much anything with rlm_perl and unlang, but nonetheless - yes, you can write your own auth module. I don't thik it would be a separate "listener", but just another module FR uses to auth RADIUS requests. Ie: instead of FR using RLM_LDAP, EAP, unix, ntlm_auth, etc. - it would use "Travis_Auth". Not sure if that helps. If you can't find doc on "modules" LMK and I'll see if I can track it down for you. From what I remember it's not rocket science, but not trivial either. G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Travis Dimmig Sent: Wednesday, February 23, 2011 2:56 PM To: FreeRadius users mailing list Subject: non-standard authentication I have a problem scenario where I need to be able to handle the authentication of users myself. I am looking into using either rlm_perl or (preferably) rlm_jradius to be able to write my own piece to do authentication. I believe this is possible with either module (please correct me if I'm wrong on that, it would stop me in my tracks). What I need to know is if when writing my own authenticator there is a terribly complicated process of requests and responses that I have to honor in order to make the supplicant happy, or if I can trivially accept or reject based on the parameters of my business problem. As a test case, I wrote a Java class for rlm_jradius that just replaced reject packets with accept packets, to see if it would work. I found that if I hooked into it at the 'post_auth' stage it didn't matter what my reply was, freeRadius remembered that auth had failed and stripped all the attributes from the response packet. That was long winded, here is a summary of my questions. Can I write my own piece to do authentication? Where in the freeRadius process do I list that listener? Is there a series of requests and responses that I have to honor? -Travis <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
I mixed up some terms between freeRadius and JRadius (my first attempt to accomplish this used rlm_jradius). The term 'listener' is specific to what I was trying to accomplish with JRadius. I also neglected to mention the important fact that I need to accomplish authentication specifically for WPA2, but without using ntlm_auth etc. I basically want the ability to say "yes" or "no" to a WPA2 user based on rules that I define, hence my looking at rlm_perl and rlm_jradius, both let me write something of my own. However, to use either of those with WPA2, I imagine I have to follow the 4-way handshake properly, or the supplicant will bark? I realize that this is stepping a bit outside the realm of just freeRadius, but if anyone has information it would be extremely helpful. -Travis From: freeradius-users-bounces+tdimmig=impulse.com@lists.freeradius.org [mailto:freeradius-users-bounces+tdimmig=impulse.com@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, February 23, 2011 3:24 PM To: 'FreeRadius users mailing list' Subject: RE: non-standard authentication I'm CERTAINLY no expert in this, but I can hopefully point you in the right direction. There is some doc within the FR install (and the Wiki I think) about writing your own "modules" - I think this is what you want. Although, I think you can do pretty much anything with rlm_perl and unlang, but nonetheless - yes, you can write your own auth module. I don't thik it would be a separate "listener", but just another module FR uses to auth RADIUS requests. Ie: instead of FR using RLM_LDAP, EAP, unix, ntlm_auth, etc. - it would use "Travis_Auth". Not sure if that helps. If you can't find doc on "modules" LMK and I'll see if I can track it down for you. From what I remember it's not rocket science, but not trivial either. G ________________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Travis Dimmig Sent: Wednesday, February 23, 2011 2:56 PM To: FreeRadius users mailing list Subject: non-standard authentication I have a problem scenario where I need to be able to handle the authentication of users myself. I am looking into using either rlm_perl or (preferably) rlm_jradius to be able to write my own piece to do authentication. I believe this is possible with either module (please correct me if I'm wrong on that, it would stop me in my tracks). What I need to know is if when writing my own authenticator there is a terribly complicated process of requests and responses that I have to honor in order to make the supplicant happy, or if I can trivially accept or reject based on the parameters of my business problem. As a test case, I wrote a Java class for rlm_jradius that just replaced reject packets with accept packets, to see if it would work. I found that if I hooked into it at the 'post_auth' stage it didn't matter what my reply was, freeRadius remembered that auth had failed and stripped all the attributes from the response packet. That was long winded, here is a summary of my questions. Can I write my own piece to do authentication? Where in the freeRadius process do I list that listener? Is there a series of requests and responses that I have to honor? -Travis "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." ________________________________________ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3463 - Release Date: 02/23/11
Again, no expert here, but as I understand it you simply "plugin" your auth process/module (Travis_Auth) to an existing FR Auth method. Travis_Auth does whatever logic you wish and returns Accept, Reject, OK, whatever - I'm not sure what the return option are or NEED to be. In your case I THINK you'd mess with the eap.conf and / or inner-tunnel. Those are setup to handle anything that uses EAP stuff, which I assume your WPA2 gear will use? We use the "WPA2-Enterprise" for our Aruba wireless, and it uses NTLM_AUTH as the backend auth method. Works good so far. Some day I'll get it integrated with LDAP for DVLANs, HOPEFULLY.... G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Travis Dimmig Sent: Wednesday, February 23, 2011 4:49 PM To: FreeRadius users mailing list Subject: RE: non-standard authentication I mixed up some terms between freeRadius and JRadius (my first attempt to accomplish this used rlm_jradius). The term 'listener' is specific to what I was trying to accomplish with JRadius. I also neglected to mention the important fact that I need to accomplish authentication specifically for WPA2, but without using ntlm_auth etc. I basically want the ability to say "yes" or "no" to a WPA2 user based on rules that I define, hence my looking at rlm_perl and rlm_jradius, both let me write something of my own. However, to use either of those with WPA2, I imagine I have to follow the 4-way handshake properly, or the supplicant will bark? I realize that this is stepping a bit outside the realm of just freeRadius, but if anyone has information it would be extremely helpful. -Travis From: freeradius-users-bounces+tdimmig=impulse.com@lists.freeradius.org [mailto:freeradius-users-bounces+tdimmig=impulse.com@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, February 23, 2011 3:24 PM To: 'FreeRadius users mailing list' Subject: RE: non-standard authentication I'm CERTAINLY no expert in this, but I can hopefully point you in the right direction. There is some doc within the FR install (and the Wiki I think) about writing your own "modules" - I think this is what you want. Although, I think you can do pretty much anything with rlm_perl and unlang, but nonetheless - yes, you can write your own auth module. I don't thik it would be a separate "listener", but just another module FR uses to auth RADIUS requests. Ie: instead of FR using RLM_LDAP, EAP, unix, ntlm_auth, etc. - it would use "Travis_Auth". Not sure if that helps. If you can't find doc on "modules" LMK and I'll see if I can track it down for you. From what I remember it's not rocket science, but not trivial either. G ________________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Travis Dimmig Sent: Wednesday, February 23, 2011 2:56 PM To: FreeRadius users mailing list Subject: non-standard authentication I have a problem scenario where I need to be able to handle the authentication of users myself. I am looking into using either rlm_perl or (preferably) rlm_jradius to be able to write my own piece to do authentication. I believe this is possible with either module (please correct me if I'm wrong on that, it would stop me in my tracks). What I need to know is if when writing my own authenticator there is a terribly complicated process of requests and responses that I have to honor in order to make the supplicant happy, or if I can trivially accept or reject based on the parameters of my business problem. As a test case, I wrote a Java class for rlm_jradius that just replaced reject packets with accept packets, to see if it would work. I found that if I hooked into it at the 'post_auth' stage it didn't matter what my reply was, freeRadius remembered that auth had failed and stripped all the attributes from the response packet. That was long winded, here is a summary of my questions. Can I write my own piece to do authentication? Where in the freeRadius process do I list that listener? Is there a series of requests and responses that I have to honor? -Travis "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." ________________________________________ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3463 - Release Date: 02/23/11 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Travis Dimmig <tdimmig@impulse.com> wrote:
I mixed up some terms between freeRadius and JRadius (my first attempt to accomplish this used rlm_jradius). The term 'listener' is specific to what I was trying to accomplish with JRadius. I also neglected to mention the important fact that I need to accomplish authentication specifically for WPA2, but without using ntlm_auth etc. I basically want the ability to say "yes" or "no" to a WPA2 user based on rules that I define, hence my looking at rlm_perl and rlm_jradius, both let me write something of my own.
Please stop faffing around and 'planning' and just sit down and write some code! :) If you run into a problem with your code, and cannot workout what is wrong from the examples below, then email the list (with the source code). If you are not doing challenge authentication (complicated schemes such as OTP or CHAP for example) then writing an external helper authenticator is *very* easy. You generally just read 'User-Password' and any other attributes you are interested in, then you return 'reject' or 'ok'. You can use shell, perl, python.... https://github.com/alandekok/freeradius-server/blob/v2.1.x/scripts/exec-prog... https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_p... https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_p... To be honest, you have given no hints about what this 'external auth' system is that you have to write your own code for, but the complete lack of detail is hinting to me you could just use the existing unlang/ldap/sql/etc framework already in FreeRADIUS?
However, to use either of those with WPA2, I imagine I have to follow the 4-way handshake properly, or the supplicant will bark?
'WPA' is a wireless system, not a RADIUS system. FreeRADIUS does not see anything to do with 'WPA', with 'WPA Enterprise' is might play with some EAP packets (which typically is just the equivalent of 'openssl s_server ...') but this has nothing to do with 'WPA'. If you are doing WPA Enterprise, then just put your module in the inner EAP layer as Alan has already suggested. ...please just write come code and stop with the hand waving :) Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #266: All of the packets are empty.
Travis Dimmig wrote:
I have a problem scenario where I need to be able to handle the authentication of users myself. I am looking into using either rlm_perl or (preferably) rlm_jradius to be able to write my own piece to do authentication.
Or just an external program.
I believe this is possible with either module (please correct me if I’m wrong on that, it would stop me in my tracks). What I need to know is if when writing my own authenticator there is a terribly complicated process of requests and responses that I have to honor in order to make the supplicant happy,
No. Just use your program in the "inner-tunnel" virtual server. FreeRADIUS takes care of all of the EAP requests and responses.
As a test case, I wrote a Java class for rlm_jradius that just replaced reject packets with accept packets, to see if it would work.
It won't work. A reject is a reject.
That was long winded, here is a summary of my questions. Can I write my own piece to do authentication?
You can write your own code to check names && passwords, yes.
Where in the freeRadius process do I list that listener?
In the "authenticate" section. See the examples on deployingradius.com related to Active Directory. There's an example of using the "exec" module. Follow that for your program.
Is there a series of requests and responses that I have to honor?
No. Alan DeKok.
participants (4)
-
Alan DeKok -
Alexander Clouter -
Gary Gatten -
Travis Dimmig