How to distinguish good or bad user using unlang and passwd module?

tnt at kalik.net tnt at kalik.net
Sun Mar 8 16:17:57 CET 2009 

>I am using a passwd module to authorize users.

No, you are using passwd module to store passwords.

>First passwd module
>checks

It doesn't check anything - it returns the password stored for that user.

>cisco_users file (format = "*User-Name:Cleartext-Password") and
>then passwd module must check cisco_groups file (format =
>"~Cisco-Group:*,User-Name"). However when passwd module checks the
>cisco_user file, it returns status "ok" even when user password (in
>request packet) doesnt match with cisco_user file.

As it should. As I mentioned before: it doesn't check passwords.

>So i am able to
>distinguish users only by their User-Name, but i need to check their
>passwords as well.

Why? pap module does that.

>I cannot figure out how to write that in my authorize
>section.

Perhaps because that is not authorization but authentication.

>Later, if username and password matches an entry in my
>cisco_user file i will call cisco_group file and find to which group
>that user belongs to assign the right services.

Well, freeradius does that before. You can actually reject the user
during authoriyation and not go for authentication at all.

>
>currently my code looks like this:
>
>passwd cisco_user_module {
>        #filename = /etc/group
>        filename = /usr/local/etc/raddb/cisco_users
>        #format = "=Etc-Group-Name:::*,User-Name"
>        format = "*User-Name:Cleartext-Password"
>        hashsize = 100
>        ignorenislike = yes
>        allowmultiplekeys = yes
>        delimiter = ":"
>}
>
>authorize {
>        cisco_user_module
>                if(notfound){
>                        update control{
>                                Auth-Type := Reject
>                                }
>                        update reply{
>                                Reply-Message := "Access denied, sorry!"
>                                }
>                }
>                elseif(ok){
>                        cisco_group_module
>                }
>}

Make that just:

authorize {
     cisco_user_module
     cisco_group_module
     pap
}

and than in post-auth

Post-Auth-Type REJECT {
     update reply {
          Reply-Message := "Access denied, sorry!"
     }
}

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list