Authentication with Vendor-Specific Attribute
I'm totally new to this (free)Radius stuff and trying to achieve authentication based on a vendor-specific attribute send by the client. I've add the custom attribute in a new dictionary file /opt/share/freeradius/dictionary.myvendor: VENDOR MyVendor 16132 BEGIN-VENDOR MyVendor ATTRIBUTE MyVendor -OneTimePassword 1 string END-VENDOR MyVendor Included it in the /opt/share/freeradius/dictionary: $INCLUDE dictionary.myvendor And now trying the following in file /opt/etc/raddb/mods-config/files/authorize: bob Cleartext-Password := "hello" if( &MyVendor-OneTimePassword == "123456" ) { Auth-Type := Accept Reply-Message := "Hello %{User-Name}, great to have you here!" } else { Auth-Type := Reject Reply-Message := "Sorry %{User-Name}, wrong OTP" } But when I start the server it quits with the following message: reading pairlist file /opt/etc/raddb/mods-config/files/authorize /opt/etc/raddb/mods-config/files/authorize[2]: Parse error (reply) for entry bob: Expecting operator Failed reading /opt/etc/raddb/mods-config/files/authorize /opt/etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files" Any advice?
On Apr 20, 2021, at 5:57 AM, Daniel Kastner <daniel.kastner@karakun.com> wrote:
I'm totally new to this (free)Radius stuff and trying to achieve authentication based on a vendor-specific attribute send by the client.
I've add the custom attribute in a new dictionary file /opt/share/freeradius/dictionary.myvendor:
VENDOR MyVendor 16132 BEGIN-VENDOR MyVendor ATTRIBUTE MyVendor -OneTimePassword 1 string END-VENDOR MyVendor
That seems fine. It's better to use the actual vendor name, though,
Included it in the /opt/share/freeradius/dictionary:
$INCLUDE dictionary.myvendor
That will get over-written on the next install of the server. The installation process assumes that you don't edit the default dictionaries. You can put the $INCLUDE into raddb/dictionary, where it will not get over-written. The installation process assumes that you edit the files in raddb/, so it doesn't over-write them.
And now trying the following in file /opt/etc/raddb/mods-config/files/authorize:
bob Cleartext-Password := "hello" if( &MyVendor-OneTimePassword == "123456" ) { Auth-Type := Accept Reply-Message := "Hello %{User-Name}, great to have you here!" } else { Auth-Type := Reject Reply-Message := "Sorry %{User-Name}, wrong OTP" }
That's not the format of the "authorize" file. See the many other examples in that file, and "man users" documentation for it. You can put the "bob" line into the "authorize" file. The rest has to go into raddb/sites-available/default, in the "authorize" section. There are many examples of if / then / else logic in that file. Alan DeKok.
participants (2)
-
Alan DeKok -
Daniel Kastner