URL authentication
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Thu Aug 3 12:58:49 CEST 2006
>> This puts it into the access-request and the radius server sees it
>> rad_recv: Access-Request packet from host 127.0.0.1:32770, id=106,
>> length=79
>> User-Name = "joe"
>> User-Password = "testing"
>> incoming-req-uri = "http://www.blibble.net/path_to"
>> Processing the authorize section of radiusd.conf
>>
>>
>>>
>>> Now, I can extend the radcheck table to include the URL and add
>>> that into the sql query as defined in mysql.conf, but how do I get
>>> freeradius to authenticate on the triple?
This is simple to implement in the users file (files module) and should
be easy as well in the mysql backend (though I don't have experience on
this one).
You'll have to define specific rules that check both authentication and
your attribute for your Cisco 'web device'. I propose to define a
Huntgroup for your cisco web devices and then you can add rules like
these ones:
DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri !=
"http://www.blibble.net/path_to", Auth-Type := Reject
Fall-Through = no
DEFAULT Huntgroup-Name == My-Cisco, incoming-req-uri ==
"http://www.blibble.net/path_to"
Fall-Through = no
In order to implement these rules directly in mysql see the doc/rlm_sql file.
If this does not work, stop the radius server and then run it in debug mode:
/etc/init.d/radiusd stop
radiusd -X
...
Then run your Radius authentication request and send the debug log to
the list.
HTH,
Thibault
More information about the Freeradius-Users
mailing list