Offloading password verification
Hi All, I'm running version 1.18 currently on Ubuntu 2.6.24-19-server; configured to use MYSQL for all auth and accounting requests. I have been asked to move the password verification away from MySQL and use an external username/password DB (managed by another company), for which my only method of access is an http API (given a username and password the API returns either 1 or 0). All attributes will still be held in the current MySQL freeradius DB; and all the users that exist in the API DB will also exist in the same current MySQL DB. The password is passed as PAP through to freeradius currently from the NAS devices, and the API also expects a plaintext password. I was thinking I could use the perl module to achieve this; but am a little lost with where to start (writing the perl script is fine). I guess the point of my post is how to keep all the attributes in MySQL and only offload the password to the API; and where this change would fit in to the radiusd.conf file? Any advice would be gratefully received. Many Thanks, Phil
I was thinking I could use the perl module to achieve this; but am a little lost with where to start (writing the perl script is fine).
Just pass $RAD_REQUEST User-Name and User-Password to the API and set Auth-Type to Accept or Reject according to the reply from it.
I guess the point of my post is how to keep all the attributes in MySQL and only offload the password to the API
Just remove the password from the database and lave rest as it is. You can list perl in authorize or make Auth-Type perl and than force it. Listing in authorize gives you more options if something goes wrong with remote authentication. Ivan Kalik Kalik Informatika ISP
Phil Meech wrote:
I'm running version 1.18 currently on Ubuntu 2.6.24-19-server;
There is no version 1.18, and no version 1.1.8, either.
configured to use MYSQL for all auth and accounting requests. I have been asked to move the password verification away from MySQL and use an external username/password DB (managed by another company), for which my only method of access is an http API (given a username and password the API returns either 1 or 0).
That's horrible. And it won't work for most EAP types.
All attributes will still be held in the current MySQL freeradius DB; and all the users that exist in the API DB will also exist in the same current MySQL DB. The password is passed as PAP through to freeradius currently from the NAS devices, and the API also expects a plaintext password.
If all you're doing is PAP, it's ugly, but perhaps functional.
I was thinking I could use the perl module to achieve this; but am a little lost with where to start (writing the perl script is fine). I guess the point of my post is how to keep all the attributes in MySQL and only offload the password to the API; and where this change would fit in to the radiusd.conf file?
Write a Perl script to do the authentication from the command line. Hard-code the username/password in the script to start. Once it works, change the username && password to use $RAD_REQUEST{'User-Name'}, and ${RAD_REQUEST{'User-Password'}. Then, configure the Perl module to use your script, and have the "check http" function be called from the authenticate hook. Alan DeKok.
participants (3)
-
Alan DeKok -
Ivan Kalik -
Phil Meech