Re: Newbie question about rlm_exec usage
What EAP type? eg if using PEAP, the client never sends a password, instead its challenge-response which works because the SQL contains a copy of the password so MSCHAP can derive an agreement. Gmhow dies your curl do this? Are you trying thus in the authenticate section and feeding an authorization method? radiusd -X is your and our friend alan
OK, that explains a lot. I guess I need to find a method that lets the Cleartext-Password go through. I don't know how to do this, actually, as our passwords are now stored hashed. Any hint? Le 23/11/2012 19:18, Alan Buxey a écrit :
eg if using PEAP, the client never sends a password, instead its challenge-response which works because the SQL contains a copy of the password so MSCHAP can derive an agreement
I don't know if I understand the process correctly : as far as I understand, an authentication request is handled successively by the listed modules in the authorize {} section, right ? So, now that I figured that I have to use PAP as phase2, I can have the cleartext password. But I don't know how I can provide it to the PAP module : it complains that no "known good" password had been found for the user. What should my executed program return to say that the user is granted access ? Le 23/11/2012 21:28, Hoggins! a écrit :
OK, that explains a lot. I guess I need to find a method that lets the Cleartext-Password go through. I don't know how to do this, actually, as our passwords are now stored hashed.
Any hint?
On 11/24/2012 08:40 PM, Hoggins! wrote:
I don't know if I understand the process correctly : as far as I understand, an authentication request is handled successively by the listed modules in the authorize {} section, right ?
So, now that I figured that I have to use PAP as phase2, I can have the cleartext password. But I don't know how I can provide it to the PAP module : it complains that no "known good" password had been found for the user.
What should my executed program return to say that the user is granted access ?
It sounds like you're still a bit confused about what the *client* sends, versus what the *server* knows. In your original email, you said you were doing 802.1x against a wi-fi point, using certificates and credentials. However, you *didn't* specify what EAP methods your clients are using. In RADIUS, the *client* chooses the authentication method, and the authentication method defines: 1. What the client sends 2. What the server needs to know What EAP method(s) are you using? See this URL for more info: http://deployingradius.com/documents/protocols/compatibility.html And more specifically: http://deployingradius.com/documents/protocols/oracles.html If you are using an "exec" script, you are using an "oracle". It can only authenticate a user based on what the *client* sends, and unless you are using a PAP-based method on the client, the client doesn't send a password. What you want might be impossible. Regards, Phil
participants (3)
-
Alan Buxey -
Hoggins! -
Phil Mayers