Newbie question about rlm_exec usage
Phil Mayers
p.mayers at imperial.ac.uk
Sat Nov 24 22:52:17 CET 2012
On 11/24/2012 08:40 PM, Hoggins! wrote:
> I don't know if I understand the process correctly : as far as I
> understand, an authentication request is handled successively by the
> listed modules in the authorize {} section, right ?
>
> So, now that I figured that I have to use PAP as phase2, I can have the
> cleartext password. But I don't know how I can provide it to the PAP
> module : it complains that no "known good" password had been found for
> the user.
>
> What should my executed program return to say that the user is granted
> access ?
It sounds like you're still a bit confused about what the *client*
sends, versus what the *server* knows.
In your original email, you said you were doing 802.1x against a wi-fi
point, using certificates and credentials.
However, you *didn't* specify what EAP methods your clients are using.
In RADIUS, the *client* chooses the authentication method, and the
authentication method defines:
1. What the client sends
2. What the server needs to know
What EAP method(s) are you using?
See this URL for more info:
http://deployingradius.com/documents/protocols/compatibility.html
And more specifically:
http://deployingradius.com/documents/protocols/oracles.html
If you are using an "exec" script, you are using an "oracle". It can
only authenticate a user based on what the *client* sends, and unless
you are using a PAP-based method on the client, the client doesn't send
a password.
What you want might be impossible.
Regards,
Phil
More information about the Freeradius-Users
mailing list