Offloading password verification

Alan DeKok aland at deployingradius.com
Mon Apr 13 17:53:25 CEST 2009


Phil Meech wrote:
> I'm running version 1.18 currently on Ubuntu 2.6.24-19-server;

  There is no version 1.18, and no version 1.1.8, either.

> configured to use MYSQL for all auth and accounting requests.   I have
> been asked to move the password verification away from MySQL and use
> an external username/password DB (managed by another company), for
> which my only method of access is an http API (given a username and
> password the API returns either 1 or 0).

  That's horrible.  And it won't work for most EAP types.

>  All attributes will still be
> held in the current MySQL freeradius DB; and all the users that exist
> in the API DB will also exist in the same current MySQL DB.  The
> password is passed as PAP through to freeradius currently from the NAS
> devices, and the API also expects a plaintext password.

  If all you're doing is PAP, it's ugly, but perhaps functional.

> I was thinking I could use the perl module to achieve this; but am a
> little lost with where to start (writing the perl script is fine).  I
> guess the point of my post is how to keep all the attributes in MySQL
> and only offload the password to the API; and where this change would
> fit in to the radiusd.conf file?

  Write a Perl script to do the authentication from the command line.
Hard-code the username/password in the script to start.  Once it works,
change the username && password to use $RAD_REQUEST{'User-Name'}, and
${RAD_REQUEST{'User-Password'}.

  Then, configure the Perl module to use your script, and have the
"check http" function be called from the authenticate hook.

  Alan DeKok.



More information about the Freeradius-Users mailing list