Freeradius-Users Digest, Vol 164, Issue 38

Imdad Hasan imdadalikadiwala0 at gmail.com
Wed Dec 19 12:46:58 CET 2018 

Thank you  Herwin,

In this Documentation of FreeRadius Passwords, the CHAP and MS-CHAP support
the Cleartext-Password, so can i get the Cleartext-Password in my php
authentication script?

On Wed, Dec 19, 2018 at 4:30 PM <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: RESTful API (Alan DeKok)
>    2. Re: RESTful API (Daniel Kong)
>    3. Capacity calculation (Raghu nathan)
>    4. Re: Capacity calculation (Nathan Ward)
>    5. plain-text password not get with CHAP (Imdad Hasan)
>    6. Re: plain-text password not get with CHAP (Herwin Weststrate)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 18 Dec 2018 06:56:05 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: RESTful API
> Message-ID: <B1E0A9A8-99D0-413E-96DB-A766824CF2E9 at deployingradius.com>
> Content-Type: text/plain;       charset=us-ascii
>
>
> > On Dec 17, 2018, at 11:15 PM, Daniel Kong <daniel.kongyh at gmail.com>
> wrote:
> >
> > I know you guys are very busy helping the rest but I hope you can help me
> > with this. I would like freeradius to authenticate with 3rd party
> > application via REST API. I do have the configuration like below.
> >
> > connect_uri = "http://10.18.6.22:8081/apps/"
> > authenticate {
> > uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
> > method = "get"
> > }
>
>   OK...
>
> > Problem is that I do not know what to be included in the request and
> > response for every authenticate, authorize, post-auth, and accounting.
> For
> > the response, I just include the HTTP status is sufficient for
> > authentication? How about the response for authorize, post-auth, and
> > accounting?
>
>   You don't need to include anything in the response.  The documentation
> describes how the module works and what it does.
>
>   FreeRADIUS treats the REST API as just another database.  There's no
> "requirement" to put anything into SQL, so there's no requirement to put
> anything in REST.
>
> > If the freeRadius is configured to use RESTful API, does other post-auth,
> > authorize, and accounting can be use with mysql so that only
> authentication
> > is using rest?
>
>   Yes.  You just list "rest" in the authenticate section, and "sql"
> elsewhere.
>
>   Alan DeKok.
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 19 Dec 2018 12:01:30 +0800
> From: Daniel Kong <daniel.kongyh at gmail.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: RESTful API
> Message-ID:
>         <
> CALvNz2haTvGQvUadZHMaWVh3gRmAKK44+FTUeeFp30sczSJ4PQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Thanks for the feedback, Alan. I have more questions to ask regarding the
> REST authentication. How does the freeRadius know that when to let the user
> to gain access to the resources after invoke REST authentication? Does it
> rely on the REST response http status? Eg. if the 3rd party application
> returns a http status 200 means that the user is authenticated and able to
> use the resource. However if the REST response returns a http status 401
> means that he/she is unauthorized. Does the freeRadius interpret it this
> way?
>
> In order to use REST authentication only while the others like post-auth,
> authorize, and accounting using the sql, I only need to configure the REST
> for authentication. So my configuration would look like this? I just
> comment off post-auth, authorize, and accounting. Correct me if I am wrong.
>
> rest {
>     tls {
>         ...
>     }
>
>     authentication {
>     }
>
>     #authorize {
>     #}
>
>     #post-auth {
>     #}
>
>     #accounting {
>     #}
>
>     pool {
>         ...
>     }
> }
>
> So after authenticate is successful, freeRadius will do insertion of record
> to radpostauth and radacct table by itself?
>
> Our current usage of freeRadius is with mySQL. So we will insert record to
> radcheck and radreply table while the rest of the table will be handled by
> freeRadius. Now if we are using the REST for authentication, do we still
> need to insert record to radcheck and radreply? Do we still rely on the
> 'Auth-Type' in the radcheck table?
>
> Daniel.
>
>
> On Tue, Dec 18, 2018 at 7:57 PM Alan DeKok <aland at deployingradius.com>
> wrote:
>
> >
> > > On Dec 17, 2018, at 11:15 PM, Daniel Kong <daniel.kongyh at gmail.com>
> > wrote:
> > >
> > > I know you guys are very busy helping the rest but I hope you can help
> me
> > > with this. I would like freeradius to authenticate with 3rd party
> > > application via REST API. I do have the configuration like below.
> > >
> > > connect_uri = "http://10.18.6.22:8081/apps/"
> > > authenticate {
> > > uri = "${..connect_uri}/user/%{User-Name}/%{User-Password}"
> > > method = "get"
> > > }
> >
> >   OK...
> >
> > > Problem is that I do not know what to be included in the request and
> > > response for every authenticate, authorize, post-auth, and accounting.
> > For
> > > the response, I just include the HTTP status is sufficient for
> > > authentication? How about the response for authorize, post-auth, and
> > > accounting?
> >
> >   You don't need to include anything in the response.  The documentation
> > describes how the module works and what it does.
> >
> >   FreeRADIUS treats the REST API as just another database.  There's no
> > "requirement" to put anything into SQL, so there's no requirement to put
> > anything in REST.
> >
> > > If the freeRadius is configured to use RESTful API, does other
> post-auth,
> > > authorize, and accounting can be use with mysql so that only
> > authentication
> > > is using rest?
> >
> >   Yes.  You just list "rest" in the authenticate section, and "sql"
> > elsewhere.
> >
> >   Alan DeKok.
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 19 Dec 2018 14:55:14 +0530
> From: Raghu nathan <raghu.vdm at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Capacity calculation
> Message-ID:
>         <CAJea6dOy+hHtsOAMpadwatq=
> LrmCLPm4yF7sF55BmhT7ZFKgYA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hello Team,
>
> I want to understand how much TPS freeRADIUS will support for below
> configuration along with postgresql DB
>
> Consider postgresql is hosted separately without any capacity limitation.
>
> Option1 : 1GB RAM, 1core CPU
> Option2 : 2GB RAM, 1core CPU
> Option3 : 4GB RAM, 2core CPU
> Option4 : 8GB RAM, 2core CPU
>
> Regards,
> Raghu
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 19 Dec 2018 23:19:00 +1300
> From: Nathan Ward <lists+freeradius at daork.net>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Capacity calculation
> Message-ID: <7C4335D6-CC72-4143-BD10-757C87DE09BF at daork.net>
> Content-Type: text/plain;       charset=utf-8
>
>
> > On 19/12/2018, at 10:25 PM, Raghu nathan <raghu.vdm at gmail.com> wrote:
> >
> > Hello Team,
> >
> > I want to understand how much TPS freeRADIUS will support for below
> > configuration along with postgresql DB
> >
> > Consider postgresql is hosted separately without any capacity limitation.
> >
> > Option1 : 1GB RAM, 1core CPU
> > Option2 : 2GB RAM, 1core CPU
> > Option3 : 4GB RAM, 2core CPU
> > Option4 : 8GB RAM, 2core CPU
>
>
> That depends on:
>
> 1) Your configuration
> 2) Your vm contention (sounds like VMs)
> 3) Your IO, potentially
> 4) Your database speed - database is by *far* the slowest part of this
> 5) Packet types - auth? Accounting?
> 6) What is a “core”?
> 7) How fast is the RAM?
>
> And many, many, many more factors.
>
> To be clear - please do not answer the above questions - they are
> presented as a non-exhaustive list of factors.
>
> You cannot get a reasonable answer on a question like this without testing
> it in your environment with your configuration etc.
> This is why you’ll rarely find “benchmarks” or similar.
>
> There are a myriad of ways to scale FreeRADIUS in almost any direction,
> depending on your workload. If you’ve been tasked with finding out if
> FreeRADIUS can handle your load the answer is almost certainly yes - but
> you may need to do some work to get it to, just as you would with any
> solution.
>
> --
> Nathan Ward
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 19 Dec 2018 16:21:55 +0530
> From: Imdad Hasan <imdadalikadiwala0 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: plain-text password not get with CHAP
> Message-ID:
>         <CAPidyMX9D3EQb=
> ixjvo6u-iJCm7Q1v_N9sTBCZKOex5VAeNRAA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Respected All,
>
> I using Default *Auth-Type = Accept* and *php external script* for custom
> authentication. That is working fine with only pap in PPPoE, But not
> working with CHAP, MS-CHAPv2 etc.
>
> I found one reason was the external script not get the plain-text
> password.Usually i get password in external php script with
> *trim(getenv('USER_PASSWORD'),'"');
> *this env variable.
>
> So, any way to get plain-text password in external script when chap is on
> in mikrotik?
>
> Warm regards
> Imdadali Kadiwala
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 19 Dec 2018 11:57:27 +0100
> From: Herwin Weststrate <herwin at quarantainenet.nl>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: plain-text password not get with CHAP
> Message-ID: <c5afe74d-8169-813f-f90c-a3d3b0b2ccb4 at quarantainenet.nl>
> Content-Type: text/plain; charset=utf-8
>
> On 19-12-18 11:51, Imdad Hasan wrote:
> > Respected All,
> >
> > I using Default *Auth-Type = Accept* and *php external script* for custom
> > authentication. That is working fine with only pap in PPPoE, But not
> > working with CHAP, MS-CHAPv2 etc.
> >
> > I found one reason was the external script not get the plain-text
> > password.Usually i get password in external php script with
> > *trim(getenv('USER_PASSWORD'),'"');
> > *this env variable.
> >
> > So, any way to get plain-text password in external script when chap is on
> > in mikrotik?
>
> No, simply because CHAP and MSCHAP don't send the plaintext password,
> but hashes of the password.
>
> If you have access to the plaintext password in PHP, you could add this
> to the config list and let the chap/mschap modules take care of it (but
> then it would be unlikely you really needed PHP in the first place),
> otherwise you're out of luck.
>
> See http://deployingradius.com/documents/protocols/compatibility.html
> for a list of possible password hashing compatibilities.
>
> --
> Herwin Weststrate
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 164, Issue 38
> *************************************************
>

More information about the Freeradius-Users mailing list