Hi Peter,
Thanks, that was the missing part for me - I think. Just let me verify that I
got you correctly:
1. My OpenSER will send a request to FreeRadius including the full digest
information.
2. Once the request in intercepted by FreeRadius, my rlm_perl will simply
need to ask the
TCP server for the password of the user.
3. Once that password had been retrieved, I'll simply set the
RAD_REPLY{'Cleartext-ssword'}
to the password that was retrieved from the TCP server.
4. Once the rlm_perl script returns with the OK setting, the rest will be
handled by the
digest module.
Have I got it right this time? sorry for being a bit of a pain.
Z2L
----- Original Message -----
From: "Peter Nixon" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "FreeRadius users mailing list"
<[email protected]>
Sent: Wednesday, July 25, 2007 5:05:02 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question
Several people have already told you this, but I am going to have another go
at it.
You want to do Digest Authentication. That great. FreeRADIUS knows how to do
it. All you have to do is supply the Cleartext-Password.
You tell us that you have some propriatary system which holds your passwords
that you need to access over a TCP socket. Great. Feel free to do so.
Basically you need to:
a) Have the digest module enabled in the _authorize_ AND _authenticate_
sections of radiusd.conf
b) Get the password from your backend using perl and return it to FreeRADIUS
in the _authorize_ section as:
PaCleartext-ssword := "yoursupersecretpassword"
This is ALL you should have to do! Do not do anything else! Please. Just
dont!
Cheers
Peter
On Wed 25 Jul 2007, FreeRadius-ML wrote:
> Ok,
>
> What I'm trying to do is have FreeRadius perform its AAA functions again
> a PERL based backend, which reads the user information from a proprietary
> system - via a TCP interface.
>
> The authorization section and the authenticate section both have PERL
> enabled in them.
>
> (I removed the remarks for easier reading) - the first digest is
> commented, but right after perl there is another one.
> ---------- SNIP ------------
> authorize {
> preprocess
> auth_log
> # attr_filter
> # chap
> # mschap
> # digest
> # IPASS
> # suffix
> # ntdomain
> # eap
> # files
> digest
> perl
> # sql
> # etc_smbpasswd
> # ldap
> # daily
> # checkval
> # pap
> }
> ---------------------------
> You are correct in regards to the authentication section (see below), I
> missed that one: --------- SNIP ------------
> authenticate {
> # Auth-Type PAP {
> #
> # pap
> #
> # }
> # Auth-Type CHAP {
> #
> # chap
> #
> # }
> # Auth-Type MS-CHAP {
> #
> # mschap
> #
> # }
> # digest
> # pam
> unix
> # Auth-Type LDAP {
> #
> # ldap
> #
> # }
> # eap
> perl
> }
> ---------------------------
>
> I may be going about it all wrong, which I'm not ruling out. If you have
> something specific to point me at, please do.
>
> Regards,
> Z2L
> ----- Original Message -----
> From: "A L M Buxey" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], "FreeRadius users mailing list"
> <[email protected]> Sent: Wednesday, July 25, 2007
> 2:12:55 PM (GMT+0200) Asia/Jerusalem Subject: Re: rml_perl question
>
> Hi,
>
> you dont have perl enabled in the authorise section of your config...you
> dont have digest enabled in your authorise or authenticate sections
> either. what are you trying to acheive?
--
Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
