help perl and pap authentication

Alan DeKok aland at deployingradius.com
Tue Sep 4 14:46:00 CEST 2018


On Sep 4, 2018, at 8:32 AM, lesterpl at infomed.sld.cu wrote:
> 
> Hi, I have problems with freeradius I am authenticate with a perl script and it works only when I do a radtest like in the following case:
> 
> Ready to process requests
> (0) Received Access-Request Id 188 from 192.168.0.3:40871 to 192.168.0.9:1812 length 109
> (0)   User-Name = "lesterpl at infomed.sld.cu"
> (0)   User-Password = "supermelinda.com2010"

  Which has a password.
> 
> (0)         Auth-Type := perl

  We don't recommend doing authentication in a custom module.  The module should instead supply a Cleartext-Password, and then let FreeRADIUS do the authentication.

> BUT WHEN I SEND IT MY AP THE FREERADIUS ASSUMES IT IN THE GROUP OF PAP AND NOT AUTHENTIC

  No, when you authenticate via the AP, the end user systems sends EAP.  Which doesn't include a User-Password.

> Received Access-Request Id 4 from 192.168.0.80:1061 to 192.168.0.9:1812 length 322
> (4)   Message-Authenticator = 0x7350cca44f5ea831e5dff8bf3ea5be8b
> (4)   Service-Type = Framed-User
> (4)   User-Name = "aymeema"
> (4)   Framed-MTU = 1488
> (4)   State = 0xee0bf512ed0fecd6e57224eb55af15dd
> (4)   Called-Station-Id = "00-23-CD-DC-C5-54:FTS"
> (4)   Calling-Station-Id = "48-59-29-D4-FC-33"
> (4)   NAS-Port-Type = Wireless-802.11
> (4)   Connect-Info = "CONNECT 54Mbps 802.11g"
> (4)   EAP-Message = 0x020400901980000000861603010046100000424104631fdc9346cd60c44035b7efb9e8f1f0c997f33787eff9189e4b6eeee27cc542d466b86da33c4f378c5ce26aa52d5d311a5790c308e422e121b9093286c1c303140301000101160301003085b82bf9e3a0949af7d6af10fc9938d21707e2778c3cde

  See?  EAP.  And no User-Password.

> Any suggestions?

  Have your module supply a Cleartext-Password in the "authorize" phase.  Don't set "Auth-Type := perl".

  FreeRADIUS will authenticate the user.

  If the module *can't* supply a Cleartext-Password, then PEAP will never work.

  The only other option is to get the end user machine to do EAP-TTLS, with PAP inside of the inner-tunnel.  Then, configure the "inner-tunnel" virtual server to use your module to check the password.

  You're limited by how the authentication protocols work.  No amount of research or poking at the code will result in any other answer.

  Alan DeKok.




More information about the Freeradius-Users mailing list