Checking password and doing something else during authenticate...
Alan DeKok
aland at deployingradius.com
Sat Feb 13 08:11:06 CET 2010
Johan Meiring wrote:
> To sum up my understanding of how freeradius works.
>
> authorise = select auth type
> authenticate = run the appropriate auth method
And post-auth: do any post-authentication processing.
> Currently I do the following
>
> authorise = set Auth-Type to perl
> authenticate = run my perl stuff
> i.e. check the password
> check the users cap
> add some reply items
> return RLM_MODULE_OK/REJECT
>
> A friend of mine mentioned that I would not be able to handle CHAP,
> should I ever want to one day, as I am authenticating the password
> myself using perl.
Yes.
> Now I am trying to achieve the following
>
> authorise = leave auth type for Freeradius to decide
> set the cleartext password using perl
OK... a database would be better, but fine.
> authenticate = leave Freeradius to do auth using PAP/CHAP
> check the cap using perl and possibly reject the user
> return RLM_MODULE_OK/REJECT
>
>
> I basically want freeradius to do the PAP/CHAP stuff and AFTER that I
> want to do things like check the users CAP.
Use post-auth.
> The reason I want to do this is because some of my custom checking (e.g.
> the CAP) can be hard on my sql database. I do not want to go to the
> trouble of a sql select through 10000's of accounting records, until I
> at least know the password is OK.
>
> I therefore want to influence the authentication decision (using
> rlm_perl) AFTER freeradius has performed the PAP/CHAP/EAP authentication
> (and it was OK).
>
> Does what I want to do make sense?
> Is this possible?
Yes, and yes.
Alan DeKok.
More information about the Freeradius-Users
mailing list