non-standard authentication

[Travis Dimmig]

I mixed up some terms between freeRadius and JRadius (my first attempt to accomplish this used rlm_jradius).  The term 'listener' is specific to what I was trying to accomplish with JRadius.  I also neglected to mention the important fact that I need to accomplish authentication specifically for WPA2, but without using ntlm_auth etc.  I basically want the ability to say "yes" or "no" to a WPA2 user based on rules that I define, hence my looking at rlm_perl and rlm_jradius, both let me write something of my own.  However, to use either of those with WPA2, I imagine I have to follow the 4-way handshake properly, or the supplicant will bark?

I realize that this is stepping a bit outside the realm of just freeRadius, but if anyone has information it would be extremely helpful.
	
-Travis

From: freeradius-users-bounces+tdimmig=impulse.com at lists.freeradius.org [mailto:freeradius-users-bounces+tdimmig=impulse.com at lists.freeradius.org] On Behalf Of Gary Gatten
Sent: Wednesday, February 23, 2011 3:24 PM
To: 'FreeRadius users mailing list'
Subject: RE: non-standard authentication

I'm CERTAINLY no expert in this, but I can hopefully point you in the right direction.

There is some doc within the FR install (and the Wiki I think) about writing your own "modules" - I think this is what you want.  Although, I think you can do pretty much anything with rlm_perl and unlang, but nonetheless - yes, you can write your own auth module.  I don't thik it would be a separate "listener", but just another module FR uses to auth RADIUS requests.  Ie:  instead of FR using RLM_LDAP, EAP, unix, ntlm_auth, etc. - it would use "Travis_Auth".

Not sure if that helps.  If you can't find doc on "modules" LMK and I'll see if I can track it down for you.  From what I remember it's not rocket science, but not trivial either.

G

________________________________________
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Travis Dimmig
Sent: Wednesday, February 23, 2011 2:56 PM
To: FreeRadius users mailing list
Subject: non-standard authentication

I have a problem scenario where I need to be able to handle the authentication of users myself.  I am looking into using either rlm_perl or (preferably) rlm_jradius to be able to write my own piece to do authentication.  I believe this is possible with either module (please correct me if I'm wrong on that, it would stop me in my tracks).  What I need to know is if when writing my own authenticator there is a terribly complicated process of requests and responses that I have to honor in order to make the supplicant happy, or if I can trivially accept or reject based on the parameters of my business problem.  As a test case, I wrote a Java class for rlm_jradius that just replaced reject packets with accept packets, to see if it would work.  I found that if I hooked into it at the 'post_auth' stage it didn't matter what my reply was, freeRadius remembered that auth had failed and stripped all the attributes from the response packet.

That was long winded, here is a summary of my questions.  Can I write my own piece to do authentication?  Where in the freeRadius process do I list that listener?  Is there a series of requests and responses that I have to honor?

-Travis

"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." 
________________________________________
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1204 / Virus Database: 1435/3463 - Release Date: 02/23/11