Sample code for external program w/ EAP?

McCann, Brian bmccann at
Fri Jan 28 19:34:59 CET 2011

First, that was enlightening because I think you hit on my (possible) confusion of "authenticate" versus "authorize".  From my understanding, "authenticate" says 'user X' with 'password Y' is real.  It will fail if the username or password is wrong.  Authorize says 'user X' has permission to access 'resource Z'.  Authorize happens after authenticate, and doesn't care about passwords/proof of just knows you are 'user X'.

Now, here's my exact problem and explain "why" I need to authenticate (not authorize) in my external program (vs ntlm_auth, the users file, ldap, sql, etc).  I have an XMLRPC-like server that is accessed over https, and takes a hash of the username and a hash of the password, and will return output granting or denying the user.  Since freeradius doesn't know how to talk to the XMLRPC server, I need my external helper.


-----Original Message-----
From: at [ at] On Behalf Of Alan DeKok
Sent: Friday, January 28, 2011 11:44 AM
To: FreeRadius users mailing list
Subject: Re: Sample code for external program w/ EAP?

McCann, Brian wrote:
> Hi all.  I hate to be a pest…but I cannot find anything really on what
> I’m trying to do.

  You're trying to have another program authenticate the user.  This
means setting up that program as being responsible for the authentication.

> I’m trying to use a Python program as an “external authenticator”, so I
> can check various things with the username and password in my already
> existing authentication schemes.  I thought this would be easy…I was
> wrong.  Through some trial and error, I’ve determined that the Python
> app needs to return “Cleartext-Password” with “some value”…that value is
> unclear to me since I’ve returned anything and it takes it.

  No.  If it's returning a Cleartext-Password, then you are *not* using
the program as the authenticator.

> My question to everyone is this: Is there an example program, in Python
> or perl, that is complete and works somewhere?  Everything I’ve seen
> just says things like “your code here”, and never specifies what the
> returns need to be formatted like and/or include for EAP.  I had been
> assuming that I just simply had to return a simple “OK” or “FAIL”, but
> that’s clearly not right.

  It's right *if* you're running the Python module in the "authenticate"
section.  This usually means forcing Auth-Type, which is one of the few
times where doing that is useful.

  My $0.02, however, is to say that this is a bad idea.  You're nearly
always better off letting the authentication server do the authentication.

  Alan DeKok.
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list