I'm running FreeRadius 1.1 on two different ports, allowing slightly different
auth methods on each port. On one of the ports, I would like to verify that
the password sent contains a slash ("/") before attempting to authenticate the
user. Why, you might ask? Well because on that port I'm actually just
proxying the authentication requests.
So, my users file entries look like:
# Cisco NAS doing SSL authentication
bob Huntgroup-Name=="Office", Hint==Port-1812, Auth-Type:=Accept
Connect-Info="OFFICE_ACCESS"
# Cisco NAS doing username/password authentication, proxied to another server
bob Huntgroup-Name=="Office", Hint==Port-1645, Proxy-To-Realm:=UAS
Connect-Info="OFFICE_ACCESS"
My huntgroups file contains the "Office" to NAS-IP-Address mappings, and my
hints file (which maps the UDP port the NAS connected on to one of the two
above auth lines) looks like this:
DEFAULT User-Name =~ "^(.*)$"
Hint = "Port-%{request:Packet-Dst-Port}"
What I need to do is figure out how to ensure that anyone authenticating with
Hint==Port-1645 has a "/" in their User-Password attribute. People
authenticating with Hint==Port-1812 will always have a User-Password attribute
which matches their Username (but because SSL authentication is handled by the
NAS, this area is authorization only, so we never check the User-Password
attribute).
I'm thinking this should be possible, but I'm just not sure the best way to
handle it. Any advice is greatly appreciated.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
