EAP and rlm_perl. Is it possible to build custom logic for VPN peers?
Hello, Started a new project and trying to make solution, I can't find the answer on the following: Is it possible to use any of EAP methods (I mean EAP-PEAP, EAP-TTLS or EAP-TLS ...) with rlm_perl. Thanks a lot for your time and any advices. Alex. // <http://wiki.freeradius.org/modules/Rlm_perl>
Oleksandr Yermolenko wrote:
Is it possible to use any of EAP methods (I mean EAP-PEAP, EAP-TTLS or EAP-TLS ...) with rlm_perl.
What does that mean? You can run the perl module when the server receives a packet. It doesn't matter whether the packet contains PAP, CHAP, MS-CHAP, or any EAP type. What do you want to *do* in rlm_perl? Knowing that probably more useful, and will get you a better answer. Alan DeKok.
Is it possible to use any of EAP methods (I mean EAP-PEAP, EAP-TTLS or EAP-TLS ...) with rlm_perl. What does that mean? can I use authenticate, authorize, accounting hooks (or post_auth)? I looked at example.pl.
Just put "perl" in somewhere eap.conf file?
You can run the perl module when the server receives a packet. It doesn't matter whether the packet contains PAP, CHAP, MS-CHAP, or any EAP type.
What do you want to *do* in rlm_perl? Knowing that probably more useful, and will get you a better answer.
authenticate a lot of VPN clients (currently I can choose EAP method), keeping them in mysql or ldap. According their properties give a personal access to different local resources. Accounting: updating start/stop/alive messages. POD if it's possible for strongswan.
Alan DeKok.
Oleksandr Yermolenko wrote:
can I use authenticate, authorize, accounting hooks (or post_auth)? I looked at example.pl.
Then you would know that the perl module can be used in those sections. The "example.pl" has comments saying this.
Just put "perl" in somewhere eap.conf file?
No. You don't just put random text into random files. It helps to understand how the server works. There is a "authorize" section. You can list modules there. This is documented. See raddb/sites-available/default.
authenticate a lot of VPN clients (currently I can choose EAP method), keeping them in mysql or ldap.
The server already has SQL and LDAP modules. You really don't want to re-implement all of them in Perl.
According their properties give a personal access to different local resources. Accounting: updating start/stop/alive messages. POD if it's possible for strongswan.
See raddb/sites-available/originate-coa for how to send disconnect messages. Alan DeKok.
participants (2)
-
Alan DeKok -
Oleksandr Yermolenko