Help with external authentication using PHP

Ekene Ezeasor ezeasorekene at gmail.com
Fri Apr 5 18:03:04 CEST 2019


Thank you Alan for your reply.

Changing the passwords to clear-text is not an option ofcourse and we do
Wi-Fi. Assuming we want to start using the SQL authorization with sha512
(with hash). How do I implement the SQL query to check for sha512 password
using the correct hash?

Thanks


On Fri, Apr 5, 2019 at 4:29 PM Alan DeKok <aland at deployingradius.com> wrote:

> On Apr 5, 2019, at 11:22 AM, Ekene Ezeasor <ezeasorekene at gmail.com> wrote:
> > Please our users' password are encrypted using crypt() (blowfish)
> function
> > in PHP. Now I want to use password_verify() to check the submitted
> password
> > and I intend doing that in PHP. I have updated my authorize section to
> use
> > the external PHP script like this:
> >
> > update control {
> >      Auth-type := "/usr/bin/php -f
> > /etc/freeradius/3.0/php/checkpassword.php %{User-Name} %{User-Password}"
> >      &Proxy-To-Realm := LOCAL
> >    }
> >
> > But only the username is sent to the external PHP file. The password is
> > empty.
>
>   If you're using WiFi, the User-Password won't exist.  See the debug
> output for more information.
>
> > We are already running a large database and it may not be easy to change
> to
> > another encryption method. Therefore this is very important and we really
> > need to implement it.
>
>   See:
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
>   The clients will need to do TTLS with inner-tunnel PAP.  Everything else
> won't work.
>
>   Your choices are:
>
> * use TTLS with inner PAP
> * don't do WiFi
> * change all the passwords in the database to clear-text
>
>   Pick one.
>
>   Alan DeKok
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list