compiling freeradius source code

Brian Candler B.Candler at pobox.com
Fri Apr 22 20:23:00 CEST 2011 

On Thu, Apr 21, 2011 at 07:13:46PM +0530, ashwini b wrote:
>    I'm giving a detailed description of my problem here
>    Im setting up 802.1x port based authentication using wire1x as
>    supplicant and freeradius as the server.I have configured
>    switch for 802.1x and using eap-tls as authentication
>    protocol.freeradius is configured to authenticate the client with
>    username and password.
>    My problem is i want to sent a bit(P bit) along with this username
>    which will be taken into account for the authentication.for this i
>    planned to send the username as P<specialcharacter>UserName.and wire1x
>    will send the username as usual.

So do you mean the username might look like "P0fred" or "P1bob" ?

>    Now at the freeradius side i have to seperate this new user name to P
>    and UserName.and and make the authentication as(hypothetically):
>    if(recieved (username,password)=(username,password)in
>    clients.conf)&&bit P==1)
>    {
>    authenticate(return 0)
>    }

So you're saying if the bit P==0 or the bit P is missing completely, then
you should reject them?

authorize {
    ...
    if (User-Name =~ /^P1(.*)$/) {
        update request {
            User-Name = "%{1}"
        }
    }
    else {
        reject
    }
    ...
}

But this seems a bit silly, if you have a custom supplicant which adds "P0"
or "P1" to the front of the username, but you want "P0" always to fail. In
that case, you might as well make the supplicant itself refuse to
authenticate.

Note also that there is no "username and password" stored in clients.conf. 
clients.conf contains just the source IP addresses of the RADIUS clients
(the switches themselves, in the case of 802.1x authentication), and the
shared secrets which the clients use to prevent spoofed RADIUS packets being
sent.

>    I found that the username,password checking is done in auth.c file.i
>    have to add 1 more condition to that.

No, you don't need to touch the C source. You can rewrite the username in
the authorize section (which is also where you do any database lookups, to
find things like the Cleartext-Password to compare against the password
provided by the user)

However, it sounds like it would repay you well to read some of the standard
documentation for freeradius, as well as a primer on the RADIUS protocol
itself, before proceeding further.

HTH,

Brian.

More information about the Freeradius-Devel mailing list