non-standard authentication

Alexander Clouter alex at digriz.org.uk
Thu Feb 24 11:06:23 CET 2011


Travis Dimmig <tdimmig at impulse.com> wrote:
>
> I mixed up some terms between freeRadius and JRadius (my first attempt 
> to accomplish this used rlm_jradius).  The term 'listener' is specific 
> to what I was trying to accomplish with JRadius.  I also neglected to 
> mention the important fact that I need to accomplish authentication 
> specifically for WPA2, but without using ntlm_auth etc.  I basically 
> want the ability to say "yes" or "no" to a WPA2 user based on rules 
> that I define, hence my looking at rlm_perl and rlm_jradius, both let 
> me write something of my own. 
> 
Please stop faffing around and 'planning' and just sit down and write 
some code! :)

If you run into a problem with your code, and cannot workout what is 
wrong from the examples below, then email the list (with the source 
code).

If you are not doing challenge authentication (complicated schemes such 
as OTP or CHAP for example) then writing an external helper 
authenticator is *very* easy.  You generally just read 'User-Password' 
and any other attributes you are interested in, then you return 'reject' 
or 'ok'.

You can use shell, perl, python....

https://github.com/alandekok/freeradius-server/blob/v2.1.x/scripts/exec-program-wait
https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_perl/example.pl
https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_python/radiusd_test.py

To be honest, you have given no hints about what this 'external auth' 
system is that you have to write your own code for, but the complete 
lack of detail is hinting to me you could just use the existing 
unlang/ldap/sql/etc framework already in FreeRADIUS?

> However, to use either of those with WPA2, I imagine I have to follow 
> the 4-way handshake properly, or the supplicant will bark?
>
'WPA' is a wireless system, not a RADIUS system.  FreeRADIUS does not 
see anything to do with 'WPA', with 'WPA Enterprise' is might play with 
some EAP packets (which typically is just the equivalent of 'openssl 
s_server ...') but this has nothing to do with 'WPA'.

If you are doing WPA Enterprise, then just put your module in the inner 
EAP layer as Alan has already suggested.

...please just write come code and stop with the hand waving :)

Cheers

-- 
Alexander Clouter
.sigmonster says: BOFH excuse #266:
                  All of the packets are empty.




More information about the Freeradius-Users mailing list