RE: Fw: authorize and authenticate methods ina custom module
Thanks a lot Alan, I would like to explain what I am trying to develop. If someone has any advise, please tell me. This is my scenario: Until now, we have a RADIUS server (RADIUS PSI) which only receives Access-Request packets. Also we have a CGI application located in the URL http://X.Y.Z.W:8080/nucleo This application receives a set of parameters as an URL encoded string (all characters that are not a-z, A-Z or 0-9 are converted to their "URL escaped" version) with this form: Attribute1=Value1&Attribute2=Value2... (where Attribute1, Attribute2... and Value1,Value2... are the differents Attribute/Value pairs obtained from the Access-Request packet) The CGI application consults a remote database (and normally authenticate the user using the telephone number; although there are other variants). According to the response obtained from the remote resource, the RADIUS server adds differents Attribute/Value pairs to the reply list, and always reply with an Access-Accept packet (whether or not the CGI application authenticate the user successfully) Now, we want to change to a FreeRadius server. I only want to call the remote resource (using the libcurl library) passing it the appropiates parameters and collect the information returned by it in order to create the reply list. As the CGI application performs the authorize and authenticate activities I am a little embarrassed to say that I am not sure which function should I implement (authorize or authenticate). Thank you very much in advance Best wishes, Susana ----- Original Message ----- From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Tuesday, January 03, 2006 4:31 PM Subject: Re: authorize and authenticate methods ina custom module
Susana Macias wrote:
I have started working with the RADIUS protocol (and with FreeRadius in particular) three weeks ago. Congratulations for the product, it is really powerful!
Thanks.
But, when are the authorize() and authenticate() methods called?
When a packet comes in. See doc/aaa.txt
Is it necessary to include in the radiusd.conf the name of the instance (of the new module created) in the authorize section in order to call its authorize() method?
Yes.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--------------------------------- Correo Yahoo! Comprueba qué es nuevo, aquí http://correo.yahoo.es
I've done something like this. You should write a custom script for the authorization section, put something like this in radiusd.conf modules { ..... exec myscript { program = "/path/to/myscript %{User-Name}" wait = yes input_pairs = request output_pairs = config packet_type = Access-Accept } ..... } authorize { ..... pap chap myscript ...... } Assuming it's a shell script, it has do this: - retrieve the parameters of the Access-Request. User-Name is passed as an argument, other attributes can be access from the environment variables or passed as addition myscript arguments - then call the cgi with the approriate parameters using curl - if the user exists, the cgi should return the Password XXXXXX to myscript (I'm assuming PAP/CHAP is used for authentication) - then myscript will write Password ="XXXXX" to stdout (it will make a config attribute for freeradius) and then exit(0) - if the cgi says that the user does not exits. Exit(0) without writing anything to stdout. This way other authorization modules may try to find the user. If the user really does not exist anywhere, the access-reject will be decided during PAP/CHAP authentication. (a user with no password = > reject) Yannick Deltroo On 1/5/06, Susana Macias <susana_macias12@yahoo.es> wrote:
Thanks a lot Alan,
I would like to explain what I am trying to develop. If someone has any advise, please tell me. This is my scenario:
Until now, we have a RADIUS server (RADIUS PSI) which only receives Access-Request packets.
Also we have a CGI application located in the URL http://X.Y.Z.W:8080/nucleo This application receives a set of parameters as an URL encoded string (all characters that are not a-z, A-Z or 0-9 are converted to their "URL escaped" version) with this form: Attribute1=Value1&Attribute2=Value2... (where Attribute1, Attribute2... and Value1,Value2... are the differents Attribute/Value pairs obtained from the Access-Request packet) The CGI application consults a remote database (and normally authenticate the user using the telephone number; although there are other variants).
According to the response obtained from the remote resource, the RADIUS server adds differents Attribute/Value pairs to the reply list, and always reply with an Access-Accept packet (whether or not the CGI application authenticate the user successfully)
Now, we want to change to a FreeRadius server.
I only want to call the remote resource (using th! e libcurl library) passing it the appropiates parameters and collect the information returned by it in order to create the reply list. As the CGI application performs the authorize and authenticate activities I am a little embarrassed to say that I am not sure which function should I implement (authorize or authenticate).
Thank you very much in advance
Best wishes, Susana
----- Original Message ----- From: "Alan DeKok" To: "FreeRadius users mailing list" Sent: Tuesday, January 03, 2006 4:31 PM Subject: Re: authorize and authenticate methods ina custom module
Susana Macias wrote:
I have started working with the RADIUS protocol (and with FreeRadius in particular) three weeks ago. Congratulations for the product, it is really powerful!
Thanks.
But, when are the authorize() and authenticate() methods called?
When a packet comes in. See doc/aaa.txt
Is it necessary to include in the radiusd.conf the name of the instance (of the new module created) in the authorize section in order to call its authorize() method?
Yes.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
Correo Yahoo! Comprueba qué es nuevo, aquí http://correo.yahoo.es
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Susana Macias -
Yannick Deltroo