Thanks for the rapid response. I will now investigate extending the mod_auth_radius.c using my own resources. I have some follow up commentary and three questions.
Alan DeKok wrote:
"Mark Lavi" <[EMAIL PROTECTED]> wrote:-- Commentary on this issue:
I would like to utilize the attributes on an access-accept packet. Does mod_auth_radius pass through attributes back to the Apache server, and if so, is it available via a server environment variable?No. The Apache module looks for Accept/Reject only, and ignores any
attributes sent back to it.
I've looked but can't find the attributes that are passed back to mod_auth_radius from the RADIUS server. ... Can attributes be retrieved?
You can modify the source to the module to look for the RADIUS attributes, and do something with them. But since few RADIUS attributes are meant for web servers, there's little you can do with them, which is why the module ignored RADIUS attributes in the first place.
Agreed, few attributes are specifically for web servers. However, a number of attributes are user or group specific and they would be of use for further authorization or personalization of a web page. For instance: user-name, class, connect-info, and vendor-specific attributes all might be information from the RADIUS server that could be further utilized by an application without relying on another data source.
The web application I am helping to design and RADIUS is the only authentication allowed in the environment I must work in. I hope it is now noted that the additional access-accept attributes could be useful in a web server environment.
-- Related commentary:
First Question: could the web page at URL: http://www.freeradius.org/mod_auth_radius/ be updated to reflect the current released version of 1.5.6 - that is what I downloaded with the link for http://www.freeradius.org/mod_auth_radius/! The "Updates" section currently lists 1.5.5 and the page hasn't been updated since September.
Note: the link on this page for the mod_auth_radius.c C source file in the "Files included with the module" section is broken. It needs to be corrected to omit the trailing .html or to rename the existing ./mod_auth_radius.c file to something else to make it palatable for a browser like ./mod_auth_radius.c.txt.
For the general benefit of the freeradius community, I stumbled upon another deviation on mod_auth_radius.c for Apache at URL: https://www.gnarst.net/authradius/ which is listed in the Apache Modules directory, it is in release for Apache 1.3.x and pre-release mode. for Apache 2.x.
Second Question: could the web page add a link to this deviation in the "Related Pages" section?
-- Final commentary:
This deviation module seems to allow group-id attributes to be passsed back, probably requiring an extension to the RADIUS dictionary, I think. I'm about to experiment with this today.
So my final note is that it looks like there is a demonstrated need for additional attributes in the web server environment. It would be ideal to unify the deviations, but in the meantime I will look into finding my own resource to work or update mod_auth_radius.c
Final Question: if anyone on this mailing list is interested in making a bid to perform this work (extend mod_auth_radius.c to export additional attributes to the web server environment as a server environment variable in Apache 1.3.x), I would be happy to review the offer while I am considering internal resources.
Thank you for your time. I hope I have contributed positively to the good work at freeradius.org!
--Mark
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
