Johan Meiring wrote: > To sum up my understanding of how freeradius works. > > authorise = select auth type > authenticate = run the appropriate auth method
And post-auth: do any post-authentication processing. > Currently I do the following > > authorise = set Auth-Type to perl > authenticate = run my perl stuff > i.e. check the password > check the users cap > add some reply items > return RLM_MODULE_OK/REJECT > > A friend of mine mentioned that I would not be able to handle CHAP, > should I ever want to one day, as I am authenticating the password > myself using perl. Yes. > Now I am trying to achieve the following > > authorise = leave auth type for Freeradius to decide > set the cleartext password using perl OK... a database would be better, but fine. > authenticate = leave Freeradius to do auth using PAP/CHAP > check the cap using perl and possibly reject the user > return RLM_MODULE_OK/REJECT > > > I basically want freeradius to do the PAP/CHAP stuff and AFTER that I > want to do things like check the users CAP. Use post-auth. > The reason I want to do this is because some of my custom checking (e.g. > the CAP) can be hard on my sql database. I do not want to go to the > trouble of a sql select through 10000's of accounting records, until I > at least know the password is OK. > > I therefore want to influence the authentication decision (using > rlm_perl) AFTER freeradius has performed the PAP/CHAP/EAP authentication > (and it was OK). > > Does what I want to do make sense? > Is this possible? Yes, and yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
