Question about authenticating CHAP clients using an external program - A different case
Hello All, I am using freeradius-1.1.7. In order to authenticate users using an external program, I have created an instance of the rlm_exec module which contains the properties of the external program. In the radiusd.conf, I have called the instance in the authentication section. Now, as I want to authenticate CHAP clients, I need to pass their clear text passwords to the rlm_chap module. The passwords are stored in the database (MySQL) and are fetched in the external program. In the external program, I have simply output User-Password = ### as the user's clear text password, but the rlm_chap module says: "Could not find clear text password for user ...". What is wrong? Any ideas? Kind Regards Ali Majdzadeh Kohbanani
I am using freeradius-1.1.7. In order to authenticate users using an external program, I have created an instance of the rlm_exec module which contains the properties of the external program. In the radiusd.conf, I have called the instance in the authentication section. Now, as I want to authenticate CHAP clients, I need to pass their clear text passwords to the rlm_chap module. The passwords are stored in the database (MySQL) and are fetched in the external program. In the external program, I have simply output User-Password = ### as the user's clear text password, but the rlm_chap module says: "Could not find clear text password for user ...". What is wrong? Any ideas?
Attribute for clear text password is - Cleartext-Password. And operator should be :=. Ivan Kalik Kalik Informatika ISP
Ivan, Hello Thanks for your attention, but I have tested what you had suggested. The result is the same, with both attributes the CHAP module throws the same error. Any ideas? Kind Regards Ali Majdzadeh Kohbanani 2009/2/24 <tnt@kalik.net>
I am using freeradius-1.1.7. In order to authenticate users using an external program, I have created an instance of the rlm_exec module which contains the properties of the external program. In the radiusd.conf, I have called the instance in the authentication section. Now, as I want to authenticate CHAP clients, I need to pass their clear text passwords to the rlm_chap module. The passwords are stored in the database (MySQL) and are fetched in the external program. In the external program, I have simply output User-Password = ### as the user's clear text password, but the rlm_chap module says: "Could not find clear text password for user ...". What is wrong? Any ideas?
Attribute for clear text password is - Cleartext-Password. And operator should be :=.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan, Hello Problem solved. I have mentioned my solution below, but now comes another question, sorry :) How is it possible to authenticate CHAP clients using an external program and not the rlm_chap module? I made two instances of the rlm_exec module. One as the authorization external program and one as the authentication external program. The point is that the Cleartext-Password should be sent out as a configuration item in the authorization external program, in other words, what the authorization program outputs should be configuration items (in this case). Well, in my previous configuration, the authorization program has been output attribute-value pairs as reply messages and that was wrong. Using radiusd.conf, I changed the output type of the authorization external program to config items. Now I can access User-Name, CHAP-Password, CHAP-Challenge attribute-value pairs in my authentication external program. By the way, the authorization external program sets my customized Auth-Type so that in the authentication section, I can use it to authenticate clients using my authentication external program which is another instance of the rlm_exec module (the second one). The main problem is the way that authentication should take place for CHAP, MS-CHAP and MS-CHAPv2 clients in the authentication external program. Kind Regards Ali Majdzadeh Kohbanani
By the way, the authorization external program sets my customized Auth-Type so that in the authentication section, I can use it to authenticate clients using my authentication external program which is another instance of the rlm_exec module (the second one).
Why?
The main problem is the way that authentication should take place for CHAP, MS-CHAP and MS-CHAPv2 clients in the authentication external program.
Exactly. Why bother when you have first class modules included with the server. Don't set Auth-Type. Let server do it. Ivan Kalik Kalik Informatika ISP
Ivan, Hello Thanks for your reply. You are right and I do know that this is not the right way to get things done, but what we have got here is a sophisticated and feature-balloted AAA system which is totally based on external programs. As a mid-term solution we should try to respond to our numerous clients who are using CHAP, MS-CHAP and MS-CHAPv2 connections. Please please, let me know if there exists any solution to implement these features in an external authentication program. Kind Regards Ali Majdzadeh Kohbanani
Thanks for your reply. You are right and I do know that this is not the right way to get things done, but what we have got here is a sophisticated and feature-balloted AAA system which is totally based on external programs.
So what would be the problem in sorting out your "features" in authorization script and leaving authentication to the server?
As a mid-term solution we should try to respond to our numerous clients who are using CHAP, MS-CHAP and MS-CHAPv2 connections. Please please, let me know if there exists any solution to implement these features in an external authentication program.
Freeradius is open source. Look up the code in rlm_chap and rlm_mschap. Ivan Kalik Kalik Informatika ISP
Ivan, Thanks for your reply. The problem is time. We should find an immediate solution. Anyway, thanks again. Kind Regards Ali Majdzadeh Kohbanani
Thanks for your reply. The problem is time. We should find an immediate solution. Anyway, thanks again.
Immediate solution is *not* trying to invent a new kind of hole on the flower pot. Don't use custom authentication script - use existing server modules. Whatever additional checks you think you need can be moved to the authorization script. Ivan Kalik Kalik Informatika ISP
Ivan, Thanks for your attention. Yes, you are right, we should organize our system regarding the structure of freeradius. I have lots of questions to ask. I am going to coherently form them; would you please trace this thread? Kind Regards Ali Majdzadeh Kohbanani
Thanks for your attention. Yes, you are right, we should organize our system regarding the structure of freeradius. I have lots of questions to ask. I am going to coherently form them; would you please trace this thread?
I do hang around. This is what you should plan for: - checks that need to be made before you decide if the user should be accepted should be run in authorize - let freeradius sort out password validity (authentication) - anything that needs to be added/changed after you decided to accept/reject user should be run in post-auth If you follow that structure there will be few problems in sorting out your scripts. Ivan Kalik Kalik Informatika ISP
Ivan, Hello Thanks for your reply. I have got some questions to ask. We have different types of clients (Or, connections) in our system; Dial-Up, ADSL, VoIP, CHAP, MS-CHAP, MS-CHAPv2 and ... . Each of these clients need different authorization method. Now, where should our authorization code reside? Shall we create an authorization external program as an instance of the rlm_exec module and call it in the Authorization section of radiusd.conf? Shall we create our customized module and form our code as the authorization function? What about authentication, I completely understood the idea of post-auth, but how it should be implemented? Do we need another instance of the rlm_module placed in the post-auth section of radiusd.conf or we should implement post-auth functionalities as post-auth function in our customized module? In general, what should be our strategy, developing a customized module and implementing our logic as it's functions, or using multiple instances of rlm_exec module and placing them in the appropriate sections of the radiusd.conf? Thanks again for your kind attention. Kind Regards Ali Majdzadeh Kohbanani
Thanks for your reply. I have got some questions to ask. We have different types of clients (Or, connections) in our system; Dial-Up, ADSL, VoIP, CHAP, MS-CHAP, MS-CHAPv2 and ... . Each of these clients need different authorization method. Now, where should our authorization code reside? Shall we create an authorization external program as an instance of the rlm_exec module and call it in the Authorization section of radiusd.conf?
Yes.
Shall we create our customized module and form our code as the authorization function?
Yes.
What about authentication, I completely understood the idea of post-auth, but how it should be implemented? Do we need another instance of the rlm_module placed in the post-auth section of radiusd.conf or we should implement post-auth functionalities as post-auth function in our customized module?
You would place the second module in post-auth.
In general, what should be our strategy, developing a customized module and implementing our logic as it's functions, or using multiple instances of rlm_exec module and placing them in the appropriate sections of the radiusd.conf?
Create the authorization script (for authorization section) that will do all the checks on access request attributes (plus counters, login time, expiration etc. if you are not using default modules) that you fill should be done. Then pass the password to the server for authentication with default server modules. Once authenticated add anythig that user needs (IP, VLAN, fixed bandwidth or time restrictions etc.) in post-auth script. Ivan Kalik Kalik Informatika ISP
Ivan, Hello Thanks for your reply. Sorry if my question is elementary, but this is the last one. What is the difference between creating a customized module to do Authorization/Post-Authentication and using external programs as instances of rlm_exec module to the so-called functionalities? Kind Regards Ali Majdzadeh Kohbanani
Thanks for your reply. Sorry if my question is elementary, but this is the last one. What is the difference between creating a customized module to do Authorization/Post-Authentication and using external programs as instances of rlm_exec module to the so-called functionalities?
Module is much more complex. It should be capable of handling and properly responding to all kinds of inputs. You can safely ignore most of it if you are writing a script as rlm_exec (or rlm_perl or whatever) will handle that for you. And you have to write the module in C while scripts can be written in variety of languages. Ivan Kalik Kalik Informatika ISP
Ivan, Thanks for your reply. I think I should start writing my own module, because the AAA system itself is in C. In other words, all of our external programs are C programs. Thanks again for your patience and guidance. Kind Regards Ali Majdzadeh Kohbanani
participants (2)
-
Ali Majdzadeh -
tnt@kalik.net