Well, then I guess, the problem is to replace User-Password, NT-Password and LM-Password in request->config_items pairlist (using some external module) at the authorization stage so that chained rlm_pap/rlm_chap/rlm_mschap modules could check against them during authentication stage, like this:
modules { ... exec_new ext_script { # an abstract exec-like module that fetches passwords and installs them into request->config_items wait = yes program = "/usr/local/sbin/AuthRadius %Z" } ... } authorize { ... ext_script ... } authenticate { Auth-Type EXEC { group { pap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } chap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } mschap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } } } Is it ever possible (even with rlm_exec modification)? В сообщении от 27 Февраль 2004 21:19 Alan DeKok написал(a): > Anton Voronin <[EMAIL PROTECTED]> wrote: > > Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to > > authenticate against a password (or NT/LM hash) taken from an external > > source (for example, using rlm_exec or rlm_perl)? > > MS-CHAP does this already. If you would have tried it, you would > see that it works. > > It's impossible to do for CHAP. > > The PAP module could do it I guess, but it would require code > changes. -- Anton Voronin Intersvyaz JSC http://www.chelcom.ru +7 (3512) 655199 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html