Re: Modifying User-Name and User-Password attributes in a module
update request { User-Name := whatever User-Password := wh4t3v3r }
in the pre-proxy section work? No need for a module then... And if I may ask, why would you need to modify name and password for proxying? If it's just about cutting out realms, there is an excellent realm module to do that for you.
Yes, I can do that for static modifications, but in my case I have to split the password and extract N bytes from it, which is a One-time password for 2 factor authentication. I have to receive AUTH_ACK from main radius server using the original password and then process the second authentication stage with a 2 factor authentication manager using that N bytes long OTP. (Connecting to 2FA server, sending OTP and receiving result) This is why I need to do it in a module.
unlang can do WAY more than just static replacements. Use a regular expression. if ( %{request:User-Password} =~ (.*)(......) ) update request { User-Password := %{2} } ... or something close to that. My syntax may be imperfect, maybe someone can provide a more bullet-proof/correct one. This here is supposed to mean: if the password is at least 6 characters long, change the password so that it only is those last six characters (%{1} would be: only the first part, without the trailing OTP). If it is less than six, this expression does nothing. I guess in your scenario you would want to discard those outright, because they don't contain a valid OTP. Add another rule for this case then. I'm ssuming your "N" to be = 6 because that's a common length for OTPs. Put more/less dots at the end of the regexp if you have a different setup.
Now, any ideas on which of the user-password vp's I have to change ?
I'm trying to prepare you for the tough conclusion that you may not need any code changes here at all. That's why I changed the recipient to -users, not -devel.
I know this is ugly. So, If I define my own attributes, is it necessary for main RADIUS server (which we proxy to) to have modified dictionary files ? or it will simply ignore those unknown attributes ?
It should. See RFC2865 section 5.26 and RFC5080 section 2.5 for details. But, to be honest, the pragmatically best approach is: TRY IT. Define a VSA, send it, and look what happens. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
participants (1)
-
Stefan Winter