pptp + perl + freeradius???

tnt at kalik.net tnt at kalik.net
Thu Nov 19 18:27:25 CET 2009 

> The documents i mentioned above was about pptp installation not freeradius
> itself. Sure i read docs about freeradius also. Even your main README
> file.!!

If you did read it, why did you do this:

> There were some other virtual servers running on that freeradius server,
> Just removed them for my test purposes. So nothing special about removing
> default server.

Removing default server = destroying default configuration! If you want to
replace default server with another one you need to alter listen section.
See README in raddb/sites-available.

>>> Here is how my perl script works.. When it gets a username/pass it
>>> checks
>>> it via an xml page and if it is correct it adds the username to mysql
>>> table with auth-type == local parameter.
>>
>> Which is wrong. Don't add Auth-Type, add the Cleartext-Password.
>>
>
> It was for my perl module. Which seems unnecessary for mschaps as i see.
> So i already removed it.

Yes, you don't want perl in authenticate, but you do want it in authorize
still to get the password from xml.

> Thats why in my previous system (which still works for hotspot
> authentications) I was using a perl module to connect to an xml service
> and
> check if the username/password is correct (I was just sending
> usrname/password couple and the answer is returning as ok or not.), and if
> it is ok, add the username/ name/email address and other informational
> knowledges of the user to a mysql table which is not relative to our
> subject now.
> And everytime user logs on, that perl script checks for the password again
> via xml page. So i got no passwords in mysql at all.

Fine, just have perl copy the password from xml into
$RAD_CHECK{'Cleartext-Password'}.

> So as i understand, the only way that mschap works is to keep
> username/passwords on mysql (or file) right?

No, if you can get password using perl it doesn't have to be in mysql. You
need cleartext of nt hashed password for mschap - freeradius doesn't care
where is it stored (sql, ldap, file, whatever) and how is it made
available. As long as the password is available for authentication.

Ivan Kalik

More information about the Freeradius-Users mailing list