EAP, Cleartext-Password & rlm_perl
Hi, I'm trying to get the cleartext-password so that I can authenticate PEAP users via sql using my schema and run the current checks etc that I do. Current config is like this peap { default_eap_type = gtc copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } gtc { auth_type = PAP } default_eap_type = peap authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap dot1x #Perl script } when I run radius in debug i see this ++[pap] returns noop rlm_perl: PERL USERNAME bob rlm_perl: PERL PASSWORD rlm_perl: Added pair User-Name = bob rlm_perl: Added pair EAP-Message = 0x0209003e1a0209003931530ee491420e92dc30f422120c9b847d0000000000000000ce9f9b75dd8a20d8099c9e4458d6e8ffcd192f39189c1ed900626f62 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0x644e622a654778ceff71975630b5ff5d rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Cleartext-Password = hello rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL So the perl script has access to "Cleartext-Password" thanks to GTC I think but I cant log it in perl. The script literally only does this currently &radiusd::radlog(1,"PERL USERNAME " . $RAD_REQUEST{'User-Name'}); &radiusd::radlog(1,"PERL PASSWORD " . $RAD_REQUEST{'Cleartext-Password'}); How can I get the Cleartext-Password in rlm_perl?
Thanks alan, thought so. just curious about this part though rlm_perl: PERL USERNAME bob rlm_perl: PERL USERNAME rlm_perl: Added pair User-Name = bob rlm_perl: Added pair EAP-Message = 0x0209003e1a0209003931530ee491420e92dc30f422120c9b847d0000000000000000ce9f9b75dd8a20d8099c9e4458d6e8ffcd192f39189c1ed900626f62 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0x644e622a654778ceff71975630b5ff5d rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 *rlm_perl: Added pair Cleartext-Password = hello* rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL The client password I enter is "hello". Is this because is read from "files" and that freeradius only knows about it after auth? On 23 May 2014 13:24, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
thats MSCHAPv2 - challenge response. not GTC. you are a slave to what the client can do, wants to do, is configured to do. if the client is configured to do PEAP/GTC then you'll have GTC
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 23/05/14 12:06, Ryan De Kock wrote:
So the perl script has access to "Cleartext-Password" thanks to GTC I think but I cant log it in perl. The script literally only does this currently
I think you have misunderstood how this all works. "Cleartext-Password" is a *control* item that you set, by lookup in files/ldap/sql. It isn't sent by the client. *If* the client is doing a plaintext EAP inner - EAP-TTLS/PAP or PEAP/GTC - then the password the clients sends will, in the right packet in the inner-tunnel, be in the "User-Password" attribute. And as Alan points out, EAP methods are decided by the client.
OK...Thanks my head feels better now. So then if I could just ask one more question. Am I able to use sql to authenticate users via eap? if so, is it possible to use a custom schema? I just wondering because if I don't know the password of the user, how can I authenticate it against sql? On 23 May 2014 13:34, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 23/05/14 12:06, Ryan De Kock wrote:
So the perl script has access to "Cleartext-Password" thanks to GTC I
think but I cant log it in perl. The script literally only does this currently
I think you have misunderstood how this all works.
"Cleartext-Password" is a *control* item that you set, by lookup in files/ldap/sql.
It isn't sent by the client.
*If* the client is doing a plaintext EAP inner - EAP-TTLS/PAP or PEAP/GTC - then the password the clients sends will, in the right packet in the inner-tunnel, be in the "User-Password" attribute.
And as Alan points out, EAP methods are decided by the client.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Ryan De Kock wrote:
So then if I could just ask one more question. Am I able to use sql to authenticate users via eap?
When the clear-text passwords are in SQL, yes.
if so, is it possible to use a custom schema?
Yes. But you will need to edit the queries.
I just wondering because if I don't know the password of the user, how can I authenticate it against sql?
You can't authenticate it by *any* method. Alan DeKok.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Phil Mayers -
Ryan De Kock