Sample code for external program w/ EAP?

McCann, Brian bmccann at andmore.com
Fri Jan 28 17:24:24 CET 2011 

I should also mention I'd be perfectly happy with using an "exec-program-wait" to authenticate the user since our volume is not that high, but I cannot find an example of how to do that either.

Thanks,
--Brian

From: freeradius-users-bounces+bmccann=andmore.com at lists.freeradius.org [mailto:freeradius-users-bounces+bmccann=andmore.com at lists.freeradius.org] On Behalf Of McCann, Brian
Sent: Friday, January 28, 2011 10:54 AM
To: freeradius-users at lists.freeradius.org
Subject: Sample code for external program w/ EAP?

Hi all.  I hate to be a pest...but I cannot find anything really on what I'm trying to do.

My setup is a wireless AP (running OpenWRT) using WPA2 - 802.1x authentication, to Freeradius.

I'm trying to use a Python program as an "external authenticator", so I can check various things with the username and password in my already existing authentication schemes.  I thought this would be easy...I was wrong.  Through some trial and error, I've determined that the Python app needs to return "Cleartext-Password" with "some value"...that value is unclear to me since I've returned anything and it takes it.

I've tried to mimic the setup at http://wiki.freeradius.org/Rlm_perl , but using Python instead of perl.

My question to everyone is this: Is there an example program, in Python or perl, that is complete and works somewhere?  Everything I've seen just says things like "your code here", and never specifies what the returns need to be formatted like and/or include for EAP.  I had been assuming that I just simply had to return a simple "OK" or "FAIL", but that's clearly not right.

I'm including some testing below for those who want to see more of what I'm doing.
Thanks,
--Brian

When I run radtest now, here's what I get (showing that there's an EAP error, but it does give an Access-Accept):

[root at xxxx: /usr/local/etc/raddb]#radtest -t eap-md5 user pass 127.0.0.1 0 testing123
Sending Access-Request packet to host 127.0.0.1 port 1812, id=49, length=0
        User-Name = "user"
        User-Password = "pass"
        NAS-IP-Address = 192.168.12.18
        NAS-Port = 0
        EAP-Code = Response
        EAP-Type-Identity = "user"
        Message-Authenticator = 0x00
        EAP-Message = 0x023000090175736572
rlm_eap: EAP-Message not found
Received Access-Accept packet from host 127.0.0.1 port 1812, id=49, length=20
Here's the function that's running in my python program:

def authorize(p):
  print "*** authorize ***"
  print
  radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***')
 print
  print p.
  sys.stdout.flush()

  return (radiusd.RLM_MODULE_OK,
          (('Cleartext-Password','pass'),),
          (('Auth-Type', 'python'),))

Here's the output from radius -X :

rad_recv: Access-Request packet from host 127.0.0.1 port 49493, id=49, length=85
        User-Name = "user"
        User-Password = "pass"
        NAS-IP-Address = 192.168.12.18
        NAS-Port = 0
        Message-Authenticator = 0x4b08938d78fe92d1f7a6d60152c9fbc0
        EAP-Message = 0x023000090175736572
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 48 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
*** authorize ***

*** radlog call in authorize ***

(('User-Name', '"user"'), ('User-Password', '"pass"'), ('NAS-IP-Address', '192.168.12.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0x4b08938d78fe92d1f7a6d60152c9fbc0'), ('EAP-Message', '0x023000090175736572'), ('EAP-Type', 'Identity'))
rlm_python:authorize: 'Cleartext-Password' = 'pass'
rlm_python:authorize: 'Auth-Type' = 'python'
++[python] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
Found Auth-Type = Python
Warning:  Found 2 auth-types on request for user 'user'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group Python {...}
*** authenticate ***

*** radlog call in authenticate ***

(('User-Name', '"user"'), ('User-Password', '"pass"'), ('NAS-IP-Address', '192.168.12.18'), ('NAS-Port', '0'), ('Message-Authenticator', '0x4b08938d78fe92d1f7a6d60152c9fbc0'), ('EAP-Message', '0x023000090175736572'), ('EAP-Type', 'Identity'))
++[python] returns ok
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 49 to 127.0.0.1 port 49493
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 49 with timestamp +5
Ready to process requests.

When I try to connect from my iPad, it just hangs...probably because it's waiting for that "EAP-Message" that radtest was complaining about.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110128/84be55c3/attachment.html>

More information about the Freeradius-Users mailing list