On 01/28/2011 06:34 PM, McCann, Brian wrote:
Now, here's my exact problem and explain "why" I need to authenticate
(not authorize) in my external program (vs ntlm_auth, the users file,
ldap, sql, etc). I have an XMLRPC-like server that is accessed over
https, and takes a hash of the username and a hash of the password,
and will return output granting or denying the user. Since
freeradius doesn't know how to talk to the XMLRPC server, I need my
external helper.
Are you aware that this will severly limit your options with respect to
EAP and windows clients?
Only EAP-TTLS/PAP gives you the username & password. Windows clients
only support EAP-TLS (no username/password) or EAP-PEAP/MS-CHAPv2 using
the built-in supplicant. You will never see a password from a windows
client; just an mschap challenge/response pair. Unless your XMLRPC
handler can process those, you will not be able to authenticate windows
clients without installing extra supplicant software.
Anyway, you probably want to do something like this in
/etc/raddb/sites-availble/inner-tunnel:
authorize {
...
pap
}
authenticate {
Auth-Type PAP {
python
}
}
...then write the "authenticate" handler of your python module to return
the appropriate code.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
