non-standard authentication

Alan DeKok aland at deployingradius.com
Thu Feb 24 07:32:27 CET 2011


Travis Dimmig wrote:
> I have a problem scenario where I need to be able to handle the
> authentication of users myself.  I am looking into using either rlm_perl
> or (preferably) rlm_jradius to be able to write my own piece to do
> authentication.

  Or just an external program.

>  I believe this is possible with either module (please
> correct me if I’m wrong on that, it would stop me in my tracks).  What I
> need to know is if when writing my own authenticator there is a terribly
> complicated process of requests and responses that I have to honor in
> order to make the supplicant happy,

  No.  Just use your program in the "inner-tunnel" virtual server.
FreeRADIUS takes care of all of the EAP requests and responses.

>  As a test case,
> I wrote a Java class for rlm_jradius that just replaced reject packets
> with accept packets, to see if it would work.

  It won't work.  A reject is a reject.

> That was long winded, here is a summary of my questions.  Can I write my
> own piece to do authentication? 

  You can write your own code to check names && passwords, yes.

> Where in the freeRadius process do I list that listener?

  In the "authenticate" section.  See the examples on
deployingradius.com related to Active Directory.  There's an example of
using the "exec" module.  Follow that for your program.

>  Is there a series of requests and responses that I
> have to honor?

  No.

  Alan DeKok.



More information about the Freeradius-Users mailing list