non-standard authentication
Alexander Clouter
alex at digriz.org.uk
Thu Feb 24 11:06:23 CET 2011
Travis Dimmig <tdimmig at impulse.com> wrote:
>
> I mixed up some terms between freeRadius and JRadius (my first attempt
> to accomplish this used rlm_jradius). The term 'listener' is specific
> to what I was trying to accomplish with JRadius. I also neglected to
> mention the important fact that I need to accomplish authentication
> specifically for WPA2, but without using ntlm_auth etc. I basically
> want the ability to say "yes" or "no" to a WPA2 user based on rules
> that I define, hence my looking at rlm_perl and rlm_jradius, both let
> me write something of my own.
>
Please stop faffing around and 'planning' and just sit down and write
some code! :)
If you run into a problem with your code, and cannot workout what is
wrong from the examples below, then email the list (with the source
code).
If you are not doing challenge authentication (complicated schemes such
as OTP or CHAP for example) then writing an external helper
authenticator is *very* easy. You generally just read 'User-Password'
and any other attributes you are interested in, then you return 'reject'
or 'ok'.
You can use shell, perl, python....
https://github.com/alandekok/freeradius-server/blob/v2.1.x/scripts/exec-program-wait
https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_perl/example.pl
https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_python/radiusd_test.py
To be honest, you have given no hints about what this 'external auth'
system is that you have to write your own code for, but the complete
lack of detail is hinting to me you could just use the existing
unlang/ldap/sql/etc framework already in FreeRADIUS?
> However, to use either of those with WPA2, I imagine I have to follow
> the 4-way handshake properly, or the supplicant will bark?
>
'WPA' is a wireless system, not a RADIUS system. FreeRADIUS does not
see anything to do with 'WPA', with 'WPA Enterprise' is might play with
some EAP packets (which typically is just the equivalent of 'openssl
s_server ...') but this has nothing to do with 'WPA'.
If you are doing WPA Enterprise, then just put your module in the inner
EAP layer as Alan has already suggested.
...please just write come code and stop with the hand waving :)
Cheers
--
Alexander Clouter
.sigmonster says: BOFH excuse #266:
All of the packets are empty.
More information about the Freeradius-Users
mailing list