Question about authenticating CHAPclientsusinganexternalprogram-A different case

tnt at kalik.net tnt at kalik.net
Thu Feb 26 12:42:10 CET 2009


>Thanks for your reply. I have got some questions to ask. We have different
>types of clients (Or, connections) in our system; Dial-Up, ADSL, VoIP, CHAP,
>MS-CHAP, MS-CHAPv2 and ... . Each of these clients need different
>authorization method. Now, where should our authorization code reside? Shall
>we create an authorization external program as an instance of the rlm_exec
>module and call it in the Authorization section of radiusd.conf?

Yes.

>Shall we
>create our customized module and form our code as the authorization
>function?

Yes.

>What about authentication, I completely understood the idea of
>post-auth, but how it should be implemented? Do we need another instance of
>the rlm_module placed in the post-auth section of radiusd.conf or we should
>implement post-auth functionalities as post-auth function in our customized
>module?

You would place the second module in post-auth.

>In general, what should be our strategy, developing a customized
>module and implementing our logic as it's functions, or using multiple
>instances of rlm_exec module and placing them in the appropriate sections of
>the radiusd.conf?

Create the authorization script (for authorization section) that will do
all the checks on access request attributes (plus counters, login time,
expiration etc. if you are not using default modules) that you fill
should be done. Then pass the password to the server for authentication
with default server modules. Once authenticated add anythig that user
needs (IP, VLAN, fixed bandwidth or time restrictions etc.) in post-auth
script.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list