Hi,
I'm a little stumped, but its entirely possible the answer is staring me in the face.
I have a radius proxy server which has a bunch of realms configured.
I would like to be able to sit a program in the authentication/authorisation
chain somewhere which lets me auth a user via some alternate means (for example,
match on some attribute and then set the Framed-IP-Address manually.)
At the moment, I've configured something like this up:
users:
user Auth-Type := Local, User-Password == "user"
Exec-Program-Wait = "/local/freeradius/sbin/auth.pl"
radiusd.conf:
authorize {
preprocess
files
suffix
}
now, that works if I dial up as that user. But, if I instead try this:
DEFAULT Auth-Type := System
Exec-Program-Wait = "/local/freeradius/sbin/check-dialed.pl",
.. right at the beginning the script is called, I match on the attribute(s), output a reply
to STDOUT - but the auth is then passed on (in an example, to a realm server)
where any av's supplied by the realm server overwrite what I've returned from the
program.
If a user is supplied that isn't authenticated anywhere, the whole thing fails.
So, I have a couple of questions:
* firstly, is there a way for Exec-Program-Wait to be run as part of a DEFAULT clause
where it is able to authenticate a user?
* secondly, is there a way for Exec-Program-Wait to be run as part of a DEFAULT clause
where anything I return from it terminates the authorization lookups (I thought Fall-Through
was meant to do this if I specified it..)
* thirdly, does anyone have any other bright ideas on how I'd implement this without having
to write a module or two? :)
Thanks,
Adrian
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- Re: using an external program for preauth? Adrian Chadd
- Re: using an external program for preauth? Alan DeKok
- Re: using an external program for preauth? Adrian Chadd
