Enable Perl module in combination with EAP/SIM module
Shurbann Martes
shurbann at gmail.com
Fri Jan 3 22:34:53 CET 2014
You're right the authentication is not being proxied to the other server
but only the authorization.
The authentication in the script, right now is always sending OK, since
we're relying only on the authorization part to decide whether or not we
should grand Access. Is their a penalty that we're paying for this? Not
sure yet, will have to look into this:
# Function to handle authenticate
sub authenticate {
# For debugging purposes only
&log_request_attributes;
return RLM_MODULE_OK;
}
I will look into the new rest module mentioned by Arran. Thank you for the
information.
Regards,
Shurbann Martes
On Fri, Jan 3, 2014 at 5:03 PM, Alan DeKok <aland at deployingradius.com>wrote:
> Shurbann Martes wrote:
> > What' we're trying to accomplish here is to map (this was the typo
> > ammped in the earlier message) every RADIUS call to an HTTP call on
> > another system. We did not find any correct solution for this other that
> > using the Perl module.
>
> If you use v3, the rest module should work. See Arran's post.
>
> > That's the reason we start using Perl module. So
> > for example a Access-Request will call a URL using HTTP GET on the other
> > system, with HTTP parameters containing the necessary info, i.e. user,
> > Called-Station-Id etc. Based on the response i.e. HTTP status response
> > 403, 401 or 202 received from this system, we will send a Access-Accept
> > or Access-Reject back to the NAS. This is working OK, right now using
> > the Auth-Type = Perl.
>
> This is not the recommended approach. FreeRADIUS is an authentication
> server. You should have it do authentication. Other systems used by
> FreeRADIUS are databases. Any other design is almost always wrong.
>
> You can use the Perl module in the "authorize" section. Have it
> create an attribute 'allowed = yes / no". See raddb/dictionary for
> examples of creating a new attribute to hold this value.
>
> Then, use FreeRADIUS to decide whether or not the user is authenticated.
>
> > However with the introduction of the EAP-SIM module as part of the
> > protocol we're going to use, I was wondering if I can have FreeRADIUS
> > configured better, by trying not to use the Auth-Type. So I'm trying to
> > find out what the correct way of doing this is.
>
> Make authorization decisions as above. What you're describing above
> is whether or not the user is *authorized* to use the service. Since
> you didn't check passwords, you have no idea whether or not he's been
> *authenticated*.
>
> Many authentication protocols require complex back and forth work.
> Don't re-do all of that in Perl. Instead, let FreeRADIUS do
> authentication. Your script should do authorization.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140103/319e829b/attachment-0001.html>
More information about the Freeradius-Users
mailing list