Sample code for external program w/ EAP?
Phil Mayers
p.mayers at imperial.ac.uk
Sat Jan 29 12:23:06 CET 2011
On 01/28/2011 06:34 PM, McCann, Brian wrote:
>
> Now, here's my exact problem and explain "why" I need to authenticate
> (not authorize) in my external program (vs ntlm_auth, the users file,
> ldap, sql, etc). I have an XMLRPC-like server that is accessed over
> https, and takes a hash of the username and a hash of the password,
> and will return output granting or denying the user. Since
> freeradius doesn't know how to talk to the XMLRPC server, I need my
> external helper.
Are you aware that this will severly limit your options with respect to
EAP and windows clients?
Only EAP-TTLS/PAP gives you the username & password. Windows clients
only support EAP-TLS (no username/password) or EAP-PEAP/MS-CHAPv2 using
the built-in supplicant. You will never see a password from a windows
client; just an mschap challenge/response pair. Unless your XMLRPC
handler can process those, you will not be able to authenticate windows
clients without installing extra supplicant software.
Anyway, you probably want to do something like this in
/etc/raddb/sites-availble/inner-tunnel:
authorize {
...
pap
}
authenticate {
Auth-Type PAP {
python
}
}
...then write the "authenticate" handler of your python module to return
the appropriate code.
More information about the Freeradius-Users
mailing list