Modifying User-Name and User-Password attributes in a module

Stefan Winter stefan.winter at
Fri Apr 11 09:41:09 CEST 2008


> Thanks, You're right, unlang is a powerful tool. I just finished reading
> it's man page. it has very interesting features. (accessing run-time

The suggested way of working with this software is

1. read the man page and other documentation
2. ask the mailing list
3. modify source code

Your complete inversion of this order didn't seem to work well.

> variables is wonderful). Your assumptions on my scenario is almost true
> and I do believe that your suggestion (regex in unlang) can completely
> remove any need for using a module in order to modify a request.
> However, In this specific scenario, I need much more further processing
> which should be done before I can decide to send a REJECT or ACCEPT. For
> example, I have to send extracted OTP to a remote authentication manager
> which it's answer would determine final authentication result.
> In more detail it should be something like: open a socket, create a
> specific request packet, send it, wait for answer, parse the answer
> packet, and do further processing based on received answer from 2FA server.
> Also, if we consider multi threading operation, there might be more
> issues that need to be taken care of.
> Nevertheless, I believe even using a powerful tool like unlang cannot
> eliminate the need for an extra module. However, having a significant
> part of the whole job done by unlang this might only need a small python
> or perl module.

Yes. rlm_perl can be used to safely embed perl into pakcet processing, and it 
should even be thread-safe, if perl is compiled accordingly.

In your scenario, I guess you would want to use the mangling we talked about 
to send the request to the remote RADIUS proxy, and then when its answer 
comes back do your out-of-band perl post-processing. The place for this is in 
the post-auth { } section. Yes, in post-auth you can turn a Access-Accept 
from a remote reply into a reject. Make your rlm_perl module return failure 
as return code and you're done.

> Well, even if I just need to use a "update" in configuration files to do
> the job, I need to do it in right the place, I mean request, reply,
> proxy or proxy_reply. candidates for this one (password modification)
> are "request" and "proxy". I wonder if doing it in "proxy" can confuse
> freeradius for doing further process on it.

I'm not sure. All I can say is that I do all my mangling during authorize { }, 
and it works. pre-proxy might as well, you just have to try it.

> Again. Thanks for your great and helpful suggestions.

Sometimes I'm tempted to kick my butt because I give free consultancy. I 
accept Ferraris as gratuity gifts, you know? ;-)



Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at     Tel.:     +352 424409-1                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Freeradius-Devel mailing list