Authorization in a Module

Brian Candler B.Candler at
Tue Feb 19 13:54:19 CET 2013

On Tue, Feb 19, 2013 at 09:00:10AM +0100, Patrick Ko wrote:
>    I have an Question to you. I Have an C - Module which i included into
>    the authorize-Section of the radiusd.conf File. If If start my Radius
>    the Module will be loaded an runs correctly.
>    Now I'have the question ;)
>    Is it possible to check "inside" a Module if an User is authenticated
>    or not ?

No: because in freeradius, the "authorize" section is run before the
"authenticate" section.

This may sound counter-intuitive at first, but typically it's the job of the
"authorize" section to fetch the information which will be used to
authenticate the user (such as the setting the Cleartext-Password attribute
which is later used by rlm_pap, rlm_chap etc)

>    Another thing is. Is it possible i have an external list in my Module,
>    where other Users and Passwords are inside. Now a User tries to
>    authenticate and if fails, but now i want that inside the module the
>    list will be checked if it contained the User and if the List contains
>    the User he will be authenticated!

That involves changes to the authentication modules. I did propose once that
if there are multiple Cleartext-Password attributes in the control list,
that the authentication module try them all in turn.  It was suggested that
this could be contributed as an enhancement, but it would need to be
controlled by a flag so that it was disabled by default.

>    At which part in the radiusd.conf the authorization is called ?

I'm not sure that question makes much sense. Modules are called when a
request comes in, not when radiusd.conf is read.

If you're asking when your module's "instantiate" function is called, then
I'm not sure exactly, but why does it matter? It just needs to prepare data
structures and read any config items it's interested in.



More information about the Freeradius-Devel mailing list