Checking password and doing something else during authenticate...

Johan Meiring jmeiring at
Thu Feb 11 20:44:12 CET 2010


Let me start off with that a have a perfectly working freeradius setup 
authenticating a bunch of hotspots (coova-chilli).  Thanks freeradius!!!

All is done using custom code in rlm_perl during authentication.
I check the password
I check the users cap
I check a bunch of other stuff
I accept or reject the user

I am busy expanding services and can not figure out the following.

To sum up my understanding of how freeradius works.

authorise = select auth type
authenticate = run the appropriate auth method

Currently I do the following

authorise = set Auth-Type to perl
authenticate = run my perl stuff
                i.e. check the password
                     check the users cap
                     add some reply items
                     return RLM_MODULE_OK/REJECT

A friend of mine mentioned that I would not be able to handle CHAP, should I 
ever want to one day, as I am authenticating the password myself using perl.

Now I am trying to achieve the following

authorise = leave auth type for Freeradius to decide
             set the cleartext password using perl
authenticate = leave Freeradius to do auth using PAP/CHAP
                check the cap using perl and possibly reject the user
                return RLM_MODULE_OK/REJECT

I basically want freeradius to do the PAP/CHAP stuff and AFTER that I want 
to do things like check the users CAP.

The reason I want to do this is because some of my custom checking (e.g. the 
CAP) can be hard on my sql database.  I do not want to go to the trouble of 
a sql select through 10000's of accounting records, until I at least know 
the password is OK.

I therefore want to influence the authentication decision (using rlm_perl) 
AFTER freeradius has performed the PAP/CHAP/EAP authentication (and it was OK).

Does what I want to do make sense?
Is this possible?



Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

More information about the Freeradius-Users mailing list