rml_perl question

FreeRadius-ML freeradius at zap2link.com
Tue Jul 24 17:01:14 CEST 2007


Hi Alan,

  Yes, that was the initial idea. However, $RAD_CHECK{User-Password}, at least according to 
my log file doesn't exist:

rad_recv: Access-Request packet from host 192.168.2.80:36905, id=35, length=194
        User-Name = "101 at 192.168.2.80"
        Digest-Attributes = 0x0a05313031
        Digest-Attributes = 0x010e3139322e3136382e322e3830
        Digest-Attributes = 0x022a34363966346236616264653232346338613638653136613561373935323739366466303763633861
        Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
        Digest-Attributes = 0x030a5245474953544552
        Digest-Response = "08c1ee69ba91e6c3ef604a6173e2dfa2"
        Service-Type = IAPP-Register
        Sip-Uri-User = "101"
        NAS-Port = 5060
        NAS-IP-Address = 192.168.2.80
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat:  '/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070719'
rlm_detail: /usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070719
  modcall[authorize]: module "auth_log" returns ok for request 3
    users: Matched entry DEFAULT at line 51
  modcall[authorize]: module "files" returns ok for request 3
  modcall[authorize]: module "digest" returns ok for request 3
perl_pool: item 0x94fefb0 asigned new request. Handled so far: 1
found interpetator at address 0x94fefb0
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 08c1ee69ba91e6c3ef604a6173e2dfa2
rlm_perl: RAD_REQUEST: User-Name = 101 at 192.168.2.80
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x95bd5c0)
rlm_perl: RAD_CHECK: Auth-Type = perl
rlm_perl: Added pair Auth-Type = perl
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x94fefb0
  modcall[authorize]: module "perl" returns ok for request 3
modcall: leaving group authorize (returns ok) for request 3
  rad_check_password:  Found Auth-Type Perl
auth: type "perl"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
perl_pool: item 0x95fede0 asigned new request. Handled so far: 1
found interpetator at address 0x95fede0
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 08c1ee69ba91e6c3ef604a6173e2dfa2
rlm_perl: RAD_REQUEST: User-Name = 101 at 192.168.2.80
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x96bd3f0)
rlm_perl: RAD_CHECK: Auth-Type = perl
rlm_perl: Added pair Auth-Type = perl
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x95fede0
  modcall[authenticate]: module "perl" returns ok for request 3
modcall: leaving group authenticate (returns ok) for request 3
Login OK: [101 at 192.168.2.80/<no User-Password attribute>] (from client 192.168.2.80 port 5060)
Sending Access-Accept of id 35 to 192.168.2.80 port 36905
Finished request 3
Going to the next request


  Aparently, the only thing that RAD_CHECK contains has inside is Auth-Type.

Regards,
  Z2L

----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: freeradius at zap2link.com, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, July 24, 2007 5:47:36 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

FreeRadius-ML wrote:
>   Now I understand you better, and I agree, that would constitute a much more
> scalable method. In that case, I return to my previous question, do you have a
> working rlm_perl script that does this, as I would like to see how this works.

  If you can write Perl code to get the clear-text password from the TCP
server, then it's trivial.

  1) get the password from the TCP server

  2) $RAD_CHECK{User-Password} = "password"

  The whole *point* of the server design is to make everything as
trivial as possible.  As I've said before, tell the server what the
clear text password is, and the server will figure out the rest.
Re-implementing any authentication protocol that is already in
FreeRADIUS is pointless and a waste of time.

  Alan DeKok.




More information about the Freeradius-Users mailing list