Auth-Type Perl instead of Auth-Type EAP?

Josh Richard jrichar4 at d.umn.edu
Sat Feb 26 14:14:56 CET 2011


On Sat, Feb 26, 2011 at 12:57 AM, Alan DeKok <aland at deployingradius.com> wrote:
> Josh Richard wrote:
>
>> The FR server currently is using rlm_perl to handle authentication and
>
>  Please, no.  Authentication includes things like EAP.  Doing EAP in
> Perl is not a good idea.

I was not going to use EAP in Perl, but use Perl to handle additional
logic to determine goodness or badness of a client MAC address in the
event of an issue. Also being able to dynamically set the user VLAN is
potentially useful.  Perl is only being used to handle the auth.  You
are correct, using Radius native Proxying may be a better idea.
Thanks.


>> I wrote some Perl in the rlm_perl code that uses Perl's Authen::Radius
>> to proxy the lookup to a different production FR server containing the
>> set of all users.  Neat.
>
>  Uh... that is an incredibly bad idea.  FreeRADIUS already does
> proxying.  Why do it in Perl?  You're going to get it wrong.
>

Not wrong, just different.  Again, loud and clear.

>
>  Yes.  See raddb/sites-enabled/inner-tunnel
>
>> Do I need to overload anything in eap.conf?
>
>  No.
>

Thanks for the direction on the above.  Combining both answers to this
thread yields a TTLS/PAP solution which avoids challenge-response.

>  But in general, this is a terrible idea.  FreeRADIUS has proxying and
> DB plugins.  Redoing all of that in Perl is asking for un-needed complexity.

In general I agree it may be terrible, but there are aspects of this
approach which may yield a more flexible solution...

Again, thank you.

-josh




More information about the Freeradius-Users mailing list