A question about rlm modules
Hello all I have written an rlm_module. It works fine. Here, we have clients which should be authenticated using CHAP passwords. In the radiusd.conf, I have mentioned my module before the CHAP module in the authentication section. Also, I have found that my module should populate the request->config_items field of the request with the clear text password so that the CHAP module can process the request. I have added the required code to do so, but the CHAP module complains about the size of the password. I want to know, is there something that I have missed? By the way, is the concept right at all? Thanks in advance. Regards Ali Majdzadeh
Ali Majdzadeh wrote:> I have written an rlm_module. It works fine. Here, we have clients which
should be authenticated using CHAP passwords. In the radiusd.conf, I have mentioned my module before the CHAP module in the authentication section. Also, I have found that my module should populate the request->config_items field of the request with the clear text password so that the CHAP module can process the request. I have added the required code to do so, but the CHAP module complains about the size of the password.
Would it be possible to post the error message? Are you sure that your code correctly creates the clear-text password? Alan DeKok.
Hello Alan Yes, I am sure that the code works correctly, because the CHAP module accepts the clear text password which I have provided in the request->config_items. Below is my code for the authorize section of the module: static int netbill_authorize (void *instance, REQUEST *request) { VALUE_PAIR *password; VALUE_PAIR *clear_text_password; instance = instance; request = request; clear_text_password = pairmake ("User-Password", "123456", T_OP_EQ); pairadd (&request->config_items, clear_text_password); return RLM_MODULE_OK; } And this is the server's log: Thu Oct 25 13:18:42 2007 : Debug: modcall: entering group CHAP for request 1 Thu Oct 25 13:18:42 2007 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 1 Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: login attempt by "ali" with CHAP password Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Using clear text password "123456" for user ali authentication. Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Password check failed Thu Oct 25 13:18:42 2007 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 1 Thu Oct 25 13:18:42 2007 : Debug: modcall[authenticate]: module "chap" returns reject for request 1 Thu Oct 25 13:18:42 2007 : Debug: modcall: leaving group CHAP (returns reject) for request 1 Thu Oct 25 13:18:42 2007 : Debug: auth: Failed to validate the user. Thanks in advance. 2007/10/25, Alan DeKok <aland@deployingradius.com>:
Ali Majdzadeh wrote:> I have written an rlm_module. It works fine. Here, we have clients which
should be authenticated using CHAP passwords. In the radiusd.conf, I have mentioned my module before the CHAP module in the authentication section. Also, I have found that my module should populate the request->config_items field of the request with the clear text password so that the CHAP module can process the request. I have added the required code to do so, but the CHAP module complains about the size of the password.
Would it be possible to post the error message? Are you sure that your code correctly creates the clear-text password?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ali Majdzadeh wrote:
Hello Alan Yes, I am sure that the code works correctly, because the CHAP module accepts the clear text password which I have provided in the request->config_items. Below is my code for the authorize section of the module:
That looks OK.
Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Using clear text password "123456" for user ali authentication. Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Password check failed
The password doesn't match what the user entered. There isn't much that can go wrong here. Alan DeKok.
Hello Alan Thanks for your reply. Would you please tell me whether the scenario is correct or not? 1) We obtain the clear text password in the authorization section of our module. 2) We populate the request->config_items with the clear text password. 3) The CHAP module authenticates the user using the supplied clear text password. Best Regards Ali Majdzadeh 2007/10/25, Alan DeKok <aland@deployingradius.com>:
Ali Majdzadeh wrote:
Hello Alan Yes, I am sure that the code works correctly, because the CHAP module accepts the clear text password which I have provided in the request->config_items. Below is my code for the authorize section of the module:
That looks OK.
Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Using clear text password "123456" for user ali authentication. Thu Oct 25 13:18:42 2007 : Debug: rlm_chap: Password check failed
The password doesn't match what the user entered. There isn't much that can go wrong here.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ali Majdzadeh wrote:
Would you please tell me whether the scenario is correct or not? 1) We obtain the clear text password in the authorization section of our module. 2) We populate the request->config_items with the clear text password. 3) The CHAP module authenticates the user using the supplied clear text password.
Yes. But the clear text password you populate is NOT the same as the password entered by the user. So authentication fails. Alan DeKok.
participants (2)
-
Alan DeKok -
Ali Majdzadeh