Well, then I guess, the problem is to replace User-Password, NT-Password and
LM-Password in request->config_items pairlist (using some external module) at
the authorization stage so that chained rlm_pap/rlm_chap/rlm_mschap modules
could check against them during authentication stage, like this:
modules {
...
exec_new ext_script { # an abstract exec-like module that fetches passwords
and installs them into request->config_items
wait = yes
program = "/usr/local/sbin/AuthRadius %Z"
}
...
}
authorize {
...
ext_script
...
}
authenticate {
Auth-Type EXEC {
group {
pap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
chap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
mschap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
}
}
Is it ever possible (even with rlm_exec modification)?
В сообщении от 27 Февраль 2004 21:19 Alan DeKok написал(a):
> Anton Voronin <[EMAIL PROTECTED]> wrote:
> > Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to
> > authenticate against a password (or NT/LM hash) taken from an external
> > source (for example, using rlm_exec or rlm_perl)?
>
> MS-CHAP does this already. If you would have tried it, you would
> see that it works.
>
> It's impossible to do for CHAP.
>
> The PAP module could do it I guess, but it would require code
> changes.
--
Anton Voronin
Intersvyaz JSC
http://www.chelcom.ru
+7 (3512) 655199
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
