Modifying User-Name and User-Password attributes in a module

Arash Yadegarnia arash at
Wed Apr 9 20:13:44 CEST 2008

Yes, I can do that for static modifications, but in my case I have to 
split the password and extract N bytes from it, which is a One-time 
password for 2 factor authentication. I have to receive AUTH_ACK from 
main radius server using the original password and then process the 
second authentication stage with a 2 factor authentication manager using 
that N bytes long OTP. (Connecting to 2FA server, sending OTP and 
receiving result) This is why I need to do it in a module.
Now, any ideas on which of the user-password vp's I have to change ?

I know reusing Proxy-State is ugly. So, If I define my own attributes, 
is it necessary for main RADIUS server (which we proxy to) to have 
modified dictionary files ? or it will simply ignore those unknown 
attributes ?


Stefan Winter wrote:
> Hi,
>> I've been working on a freeradius module which will operate in pre-proxy
>> and post-proxy mode. I need to modify the user-password
>> (PW_USER_PASSWORD) attribute in pre-proxy and return an RLM_MODULE_UPDATED.
> Hm, why doesn't updating this stuff with
> update request {
> 	User-Name := whatever
> 	User-Password := wh4t3v3r
> }
> in the pre-proxy section work? No need for a module then... And if I may ask, 
> why would you need to modify name and password for proxying? If it's just 
> about cutting out realms, there is an excellent realm module to do that for 
> you.
>> And last question, Is it safe to modify the Proxy-State attribute in
>> pre-proxy stage? somewhere in event.c, the comments says that, RFC
>> requires it (Proxy-State)  but freeradius doesn't need it, and just
>> fills it with packet->id (which is a random number). Since RFC forbids
>> adding more than one Proxy-State too the packet, and also having in mind
>> that I don't want to introduce a new attribute (bothering dictionary
>> files), Can I use the same Proxy-State (filed by freeradius with
>> packet->id) to store my own data in it ?
> Again, why on earth would you want to do that? If you want to send information 
> in a packet, there's no need to abuse Proxy-State... define your own 
> attribute.
> Stefan Winter
> ------------------------------------------------------------------------
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Devel mailing list