Hello, I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP). Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now. Thanks for the time/sorry for not lurking more before posting, Jesse
On 24/02/12 15:43, Jesse Crayston wrote:
Hello,
I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP).
Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now.
It sounds like you're on the wrong track; none of the bits and pieces you've mentioned "fit together". Can you explain in more detail what you're trying to accomplish?
Trying to get my users to have the same password on a radius server, as they do on the google apps domain. On Feb 24, 2012 8:45 AM, "Phil Mayers" <p.mayers@imperial.ac.uk> wrote:
On 24/02/12 15:43, Jesse Crayston wrote:
Hello,
I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP).
Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now.
It sounds like you're on the wrong track; none of the bits and pieces you've mentioned "fit together".
Can you explain in more detail what you're trying to accomplish? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 02/24/2012 05:10 PM, Jesse Crayston wrote:
Trying to get my users to have the same password on a radius server, as they do on the google apps domain.
That might be tricky. Since you can't read the passwords from an apps domain, the only thing you could possibly do is use it as an "oracle" i.e. send it a username/password string, and get a yes/no reply. This limits you to RADIUS methods that send a username/password - PAP, or EAP-TTLS/PAP. If you want to do 802.1x, you need an EAP method, which means EAP-TTLS/PAP, and this is not supported using the default windows supplicant. If you do web-auth (captive portal) then you can do PAP. You will need to consult the docs for your captive portal for more info on that. See here: http://deployingradius.com/documents/protocols/oracles.html ...and for more info, here: http://deployingradius.com/documents/protocols/compatibility.html Assuming a PAP-based method works for you; there is no built-in support for using an OAuth IdP as an oracle. You would need to write a script and call it from FreeRADIUS, either via rlm_exec or inline as a perl/python script using rlm_perl/rlm_python. Broadly, it would look something like this: authorize { ... pap } authentication { Auth-Type PAP { my_script } } "my_script" might be an instance of rlm_exec, e.g. in raddb/modules/my_script: exec my_script { wait = yes input_pairs = request program = "/path/to/script %{User-Name} %{User-Password}" } ...and the script might be something like: #!/bin/sh USERNAME="$1" PASSWORD="$2" /do/outh_to_google $USERNAME $PASSWORD if [ $? -eq 0 ] then # auth success - return 0 exit 0 else # auth failure - return 1 exit 1 fi See the example modules in raddb/echo and raddb/exec for more info on what external scripts can do and the return codes. Cheers, Phil
participants (2)
-
Jesse Crayston -
Phil Mayers