URL authentication

Thibault Le Meur Thibault.LeMeur at supelec.fr
Thu Aug 3 12:58:49 CEST 2006

>> This puts it into the access-request and the radius server sees it
>> rad_recv: Access-Request packet from host, id=106,  
>> length=79
>>         User-Name = "joe"
>>         User-Password = "testing"
>>         incoming-req-uri = "http://www.blibble.net/path_to"
>>   Processing the authorize section of radiusd.conf
>>> Now, I can extend the radcheck table to include the URL and add  
>>> that into the sql query as defined in mysql.conf, but how do I get  
>>> freeradius to authenticate on the triple?

This is simple to implement in the users file (files module) and should 
be easy as well in the mysql backend (though I don't have experience on 
this one).

You'll have to define specific rules that check both authentication and 
your attribute for your Cisco 'web device'. I propose to define a 
Huntgroup for your cisco web devices and then you can add rules like 
these ones:

DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri != 
"http://www.blibble.net/path_to", Auth-Type := Reject
    Fall-Through  = no

DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri == 
    Fall-Through  = no

In order to implement these rules directly in mysql see the doc/rlm_sql file.

If this does not work, stop the radius server and then run it in debug mode:
/etc/init.d/radiusd stop
radiusd -X

Then run your Radius authentication request and send the debug log to 
the list.


More information about the Freeradius-Users mailing list