Hi For each Access-Request recieved and authenticated successfully I want to do following: 1. Verify if Access-Request contains a parameter i.e IMEI of mobile 2. If Not, send Access-Reject. Else, 3. compare IMEI to value in database and assign a 32bit hex number in Access-Accept Basically, I am doing a second authentication after initial authentication (PAP, CHAP) is successful. Any pointers are appreciated. -- br, Navodit Bhardwaj Hughes Systique Corporation
Navodit Bhardwaj wrote:
For each Access-Request recieved and authenticated successfully I want to do following:
1. Verify if Access-Request contains a parameter i.e IMEI of mobile 2. If Not, send Access-Reject. Else, 3. compare IMEI to value in database and assign a 32bit hex number in Access-Accept
You should be able to just write this in unlang. Write down which attributes you have, and what values you're looking for. Then, write the logic.
Basically, I am doing a second authentication after initial authentication (PAP, CHAP) is successful.
Don't do that. Do it *before* PAP or CHAP. In the "authorize" section. Alan DeKok.
On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok <aland@deployingradius.com> wrote:
Navodit Bhardwaj wrote:
For each Access-Request recieved and authenticated successfully I want to do following:
1. Verify if Access-Request contains a parameter i.e IMEI of mobile 2. If Not, send Access-Reject. Else, 3. compare IMEI to value in database and assign a 32bit hex number in Access-Accept
You should be able to just write this in unlang. Write down which attributes you have, and what values you're looking for. Then, write the logic.
Navodit, I just asked a similar question and this is the logic I added to my default site, right after 'preprocess': if (CVPN3000-Tunnel-Group-Name == 'Bookstore') { if (SQL-Group == 'RADIUS:bookstore') { noop } else { reject } } What the above logic "says" is: If the user is requesting to be in the Bookstore VPN group then if they are part of the RADIUS:bookstore group, continue (noop), else reject them. You'll need to change 'CVPN3000-Tunnel-Group-Name' and 'Bookstore', and remove the second 'if' statement.
Basically, I am doing a second authentication after initial authentication (PAP, CHAP) is successful.
Don't do that. Do it *before* PAP or CHAP. In the "authorize" section.
Alan, I've got a similar question that dovetails into this discussion. Suppose I wanted to reject certain users and wanted the Reply-Message to be customized per user authenticating, but I want to ensure that I am not leaking the customized message. Is there a way to test the user/pw combo first and *then* perform unlang logic? Thanks, -mz
Hi To proceed with unlang, how can I ensure that the Access-Request contains specific IE. For example: - <IMEI Field> : 1234567890123 - <Hardware Id> : AC12BD54FS56TRZS506 - etc.. Also, Is there any limitation to number of parameters and size, that can be contained in any Access-Request? I wish to compare these field values to my database and if not present in Request, directly process Reject. Br, Navodit On Thu, Jul 18, 2013 at 10:04 PM, Matt Zagrabelny <mzagrabe@d.umn.edu>wrote:
On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok <aland@deployingradius.com> wrote:
Navodit Bhardwaj wrote:
For each Access-Request recieved and authenticated successfully I want to do following:
1. Verify if Access-Request contains a parameter i.e IMEI of mobile 2. If Not, send Access-Reject. Else, 3. compare IMEI to value in database and assign a 32bit hex number in Access-Accept
You should be able to just write this in unlang. Write down which attributes you have, and what values you're looking for. Then, write the logic.
Navodit,
I just asked a similar question and this is the logic I added to my default site, right after 'preprocess':
if (CVPN3000-Tunnel-Group-Name == 'Bookstore') { if (SQL-Group == 'RADIUS:bookstore') { noop } else { reject } }
What the above logic "says" is:
If the user is requesting to be in the Bookstore VPN group then if they are part of the RADIUS:bookstore group, continue (noop), else reject them.
You'll need to change 'CVPN3000-Tunnel-Group-Name' and 'Bookstore', and remove the second 'if' statement.
Basically, I am doing a second authentication after initial authentication (PAP, CHAP) is successful.
Don't do that. Do it *before* PAP or CHAP. In the "authorize" section.
Alan,
I've got a similar question that dovetails into this discussion. Suppose I wanted to reject certain users and wanted the Reply-Message to be customized per user authenticating, but I want to ensure that I am not leaking the customized message. Is there a way to test the user/pw combo first and *then* perform unlang logic?
Thanks,
-mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- br, Navodit Bhardwaj Hughes Systique Corporation
On Thu, Jul 18, 2013 at 11:34:56AM -0500, Matt Zagrabelny wrote:
I've got a similar question that dovetails into this discussion. Suppose I wanted to reject certain users and wanted the Reply-Message to be customized per user authenticating, but I want to ensure that I am not leaking the customized message. Is there a way to test the user/pw combo first and *then* perform unlang logic?
That's what the post-auth section is for. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Alan DeKok -
Matt Zagrabelny -
Matthew Newton -
Navodit Bhardwaj