Offloading password verification
Alan DeKok
aland at deployingradius.com
Mon Apr 13 17:53:25 CEST 2009
Phil Meech wrote:
> I'm running version 1.18 currently on Ubuntu 2.6.24-19-server;
There is no version 1.18, and no version 1.1.8, either.
> configured to use MYSQL for all auth and accounting requests. I have
> been asked to move the password verification away from MySQL and use
> an external username/password DB (managed by another company), for
> which my only method of access is an http API (given a username and
> password the API returns either 1 or 0).
That's horrible. And it won't work for most EAP types.
> All attributes will still be
> held in the current MySQL freeradius DB; and all the users that exist
> in the API DB will also exist in the same current MySQL DB. The
> password is passed as PAP through to freeradius currently from the NAS
> devices, and the API also expects a plaintext password.
If all you're doing is PAP, it's ugly, but perhaps functional.
> I was thinking I could use the perl module to achieve this; but am a
> little lost with where to start (writing the perl script is fine). I
> guess the point of my post is how to keep all the attributes in MySQL
> and only offload the password to the API; and where this change would
> fit in to the radiusd.conf file?
Write a Perl script to do the authentication from the command line.
Hard-code the username/password in the script to start. Once it works,
change the username && password to use $RAD_REQUEST{'User-Name'}, and
${RAD_REQUEST{'User-Password'}.
Then, configure the Perl module to use your script, and have the
"check http" function be called from the authenticate hook.
Alan DeKok.
More information about the Freeradius-Users
mailing list