Freeradius External Script Auth.
aland at deployingradius.com
Thu Feb 6 20:15:33 CET 2020
On Feb 6, 2020, at 12:35 PM, Vertigo Vertigo <vertigo.altair at gmail.com> wrote:
> I want to authorize users that connect to AP with my external script.
> Because I have multiple data source ( multiple Active Directory, another
> API etc.) and I want to make authorization by using these data sources as I
FreeRADIUS can do some pretty complex things with unlang. I'd really recommend using that.
> That's why I'm using an external script to authorization. I updated
> /etc/raddb/sites-enabled/default's authorize section;
That's good. But...
> When I run "radtest" with PAP method, everything is OK, I have "User-Name"
> and "User-Password" attributes, I'm able to authorize users etc. However,
> when I make tests with an AP with 802.1x EAP method, , there is no
> cleartext password (User-Password) and I cannot make authorization.
> question is how can I make authorization without "User-Password" attribute.
> As I said, I have cleartext passwords in my data sources, so I can hash
> them and compare with other hash that a client sent. How can I perform this
> operation with EAP, CHAP, MSCHAP etc. methods?
You will need to re-implement all of EAP, CHAP, and MS-CHAP in your data source.
Or, treat the data source as a *database*. And have it supply the clear text password to FreeRADIUS. It will then do all of the necessary calculations.
In short: FreeRADIUS is an authentication server, not a database. And a database isn't an authentication server. They do very different things.
More information about the Freeradius-Users