We are currently using FreeRADIUS 1.1.2 since a lot of months (with a custom module to retrieve and record data from/to our database and perform custom things). Now we have to check every authentication against TWO different passwords (it's OK if ONE is matched). Something like setting two different and alternative "User-Password" attributes... Is there some way to achieve it? Thanks. -- ___________________________________________________ __ |- giannici@neomedia.it |ederico Giannici http://www.neomedia.it ___________________________________________________
Federico Giannici wrote:
Now we have to check every authentication against TWO different passwords (it's OK if ONE is matched). Something like setting two different and alternative "User-Password" attributes...
Sort of. See doc/configurable_failover. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Federico Giannici wrote:
Now we have to check every authentication against TWO different passwords (it's OK if ONE is matched). Something like setting two different and alternative "User-Password" attributes...
Sort of. See doc/configurable_failover.
I read it, but I'm a little confused... How can I use it to make the AUTHENTICATE sections to be tried a SECOND time (with a different Cleartext-Password set by an authorization module), if the first time the authentication failed? Thanks. -- ___________________________________________________ __ |- giannici@neomedia.it |ederico Giannici http://www.neomedia.it ___________________________________________________
if all else fails, try using rlm_perl to do the authentication (or maybe, compare the password against both elements in the database, then 'rewrite' it as the first if it matches, so rlm_sql recognises it properly. This, of course, is a bit of a hack (but if it works every time and is less complex than a failover implementation, is it bad?). Jan On 03/02/07, Federico Giannici <giannici@neomedia.it> wrote:
Alan DeKok wrote:
Federico Giannici wrote:
Now we have to check every authentication against TWO different passwords (it's OK if ONE is matched). Something like setting two different and alternative "User-Password" attributes...
Sort of. See doc/configurable_failover.
I read it, but I'm a little confused...
How can I use it to make the AUTHENTICATE sections to be tried a SECOND time (with a different Cleartext-Password set by an authorization module), if the first time the authentication failed?
Thanks.
-- ___________________________________________________ __ |- giannici@neomedia.it |ederico Giannici http://www.neomedia.it ___________________________________________________ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jan Mulders wrote:
if all else fails, try using rlm_perl to do the authentication (or maybe, compare the password against both elements in the database, then 'rewrite' it as the first if it matches, so rlm_sql recognises it properly. This, of course, is a bit of a hack (but if it works every time and is less complex than a failover implementation, is it bad?).
Well... this is a little more than "a bit of a hack". It will work with clear-text authentication mechanisms only... Bye.
On 03/02/07, *Federico Giannici* <giannici@neomedia.it <mailto:giannici@neomedia.it>> wrote:
Alan DeKok wrote: > Federico Giannici wrote: >> Now we have to check every authentication against TWO different >> passwords (it's OK if ONE is matched). Something like setting two >> different and alternative "User-Password" attributes... > > Sort of. See doc/configurable_failover.
I read it, but I'm a little confused...
How can I use it to make the AUTHENTICATE sections to be tried a SECOND time (with a different Cleartext-Password set by an authorization module), if the first time the authentication failed?
Thanks.
-- ___________________________________________________ __ |- giannici@neomedia.it <mailto:giannici@neomedia.it> |ederico Giannici http://www.neomedia.it ___________________________________________________ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ___________________________________________________ __ |- giannici@neomedia.it |ederico Giannici http://www.neomedia.it Presidente del CDA - Neomedia S.r.l. ___________________________________________________
Federico Giannici wrote:
Alan DeKok wrote:
Federico Giannici wrote:
Now we have to check every authentication against TWO different passwords (it's OK if ONE is matched). Something like setting two different and alternative "User-Password" attributes... Sort of. See doc/configurable_failover.
I read it, but I'm a little confused...
How can I use it to make the AUTHENTICATE sections to be tried a SECOND time (with a different Cleartext-Password set by an authorization module), if the first time the authentication failed?
OK, I think I understood how to implement it by means of group{}: if the pap/chap/etc authentication fails then I have to call the authentication routine of my module to change the "Cleartext-Password" and then call the pap/chap/etc authentication again. I'm I right? But the following sentence of "doc/configurable_failover" perplexes me: "authenticate{...}" itself is not a GROUP, even though it contains a list of Auth-Type GROUPs, because its semantics are totally different - it uses Auth-Type to decide which of its members to call, and their order is irrelevant. Currently the default authenticate{...} configuration contains a call to eap WITHOUT any Auth-Type! Is that sentence still correct? Thanks. -- ___________________________________________________ __ |- giannici@neomedia.it |ederico Giannici http://www.neomedia.it ___________________________________________________
Federico Giannici wrote:
Federico Giannici wrote:
Alan DeKok wrote:
Federico Giannici wrote:
Now we have to check every authentication against TWO different passwords (it's OK if ONE is matched). Something like setting two different and alternative "User-Password" attributes... Sort of. See doc/configurable_failover. I read it, but I'm a little confused...
How can I use it to make the AUTHENTICATE sections to be tried a SECOND time (with a different Cleartext-Password set by an authorization module), if the first time the authentication failed?
OK, I think I understood how to implement it by means of group{}: if the pap/chap/etc authentication fails then I have to call the authentication routine of my module to change the "Cleartext-Password" and then call the pap/chap/etc authentication again. I'm I right?
OK, it seems to work. At the end of this email there is my authenticate{} section. Is it correct? Is there a simpler way to implement it? Please note that "nm" is my custom module that eventually does a pairreplace() of the "User-Password" attribute. It only returns RLM_MODULE_UPDATED or RLM_MODULE_NOOP. Thanks. authenticate { Auth-Type PAP { group { pap { notfound = return noop = return ok = return updated = return fail = return reject = 1 userlock = return invalid = return handled = return } nm { noop = reject updated = 1 } pap { notfound = return noop = return ok = return updated = return fail = return reject = return userlock = return invalid = return handled = return } } } Auth-Type CHAP { group { chap { notfound = return noop = return ok = return updated = return fail = return reject = 1 userlock = return invalid = return handled = return } nm { noop = reject updated = 1 } chap { notfound = return noop = return ok = return updated = return fail = return reject = return userlock = return invalid = return handled = return } } } Auth-Type MS-CHAP { group { mschap { notfound = return noop = return ok = return updated = return fail = return reject = 1 userlock = return invalid = return handled = return } nm { noop = reject updated = 1 } mschap { notfound = return noop = return ok = return updated = return fail = return reject = return userlock = return invalid = return handled = return } } } } -- ___________________________________________________ __ |- giannici@neomedia.it |ederico Giannici http://www.neomedia.it ___________________________________________________
Federico Giannici wrote:
OK, it seems to work. At the end of this email there is my authenticate{} section. Is it correct? Is there a simpler way to implement it?
If it works, use it. I don't know if there's an easier way to do this right now. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Federico Giannici -
Jan Mulders