Checking password and doing something else during authenticate...

Alan DeKok aland at
Sat Feb 13 08:11:06 CET 2010

Johan Meiring wrote:
> To sum up my understanding of how freeradius works.
> authorise = select auth type
> authenticate = run the appropriate auth method

  And post-auth: do any post-authentication processing.

> Currently I do the following
> authorise = set Auth-Type to perl
> authenticate = run my perl stuff
>                i.e. check the password
>                     check the users cap
>                     add some reply items
>                     return RLM_MODULE_OK/REJECT
> A friend of mine mentioned that I would not be able to handle CHAP,
> should I ever want to one day, as I am authenticating the password
> myself using perl.


> Now I am trying to achieve the following
> authorise = leave auth type for Freeradius to decide
>             set the cleartext password using perl

  OK... a database would be better, but fine.

> authenticate = leave Freeradius to do auth using PAP/CHAP
>                check the cap using perl and possibly reject the user
>                return RLM_MODULE_OK/REJECT
> I basically want freeradius to do the PAP/CHAP stuff and AFTER that I
> want to do things like check the users CAP.

  Use post-auth.

> The reason I want to do this is because some of my custom checking (e.g.
> the CAP) can be hard on my sql database.  I do not want to go to the
> trouble of a sql select through 10000's of accounting records, until I
> at least know the password is OK.
> I therefore want to influence the authentication decision (using
> rlm_perl) AFTER freeradius has performed the PAP/CHAP/EAP authentication
> (and it was OK).
> Does what I want to do make sense?
> Is this possible?

  Yes, and yes.

  Alan DeKok.

More information about the Freeradius-Users mailing list