I mixed up some terms between freeRadius and JRadius (my first attempt to
accomplish this used rlm_jradius). The term 'listener' is specific to what I
was trying to accomplish with JRadius. I also neglected to mention the
important fact that I need to accomplish authentication specifically for WPA2,
but without using ntlm_auth etc. I basically want the ability to say "yes" or
"no" to a WPA2 user based on rules that I define, hence my looking at rlm_perl
and rlm_jradius, both let me write something of my own. However, to use either
of those with WPA2, I imagine I have to follow the 4-way handshake properly, or
the supplicant will bark?
I realize that this is stepping a bit outside the realm of just freeRadius, but
if anyone has information it would be extremely helpful.
-Travis
From: freeradius-users-bounces+tdimmig=impulse....@lists.freeradius.org
[mailto:freeradius-users-bounces+tdimmig=impulse....@lists.freeradius.org] On
Behalf Of Gary Gatten
Sent: Wednesday, February 23, 2011 3:24 PM
To: 'FreeRadius users mailing list'
Subject: RE: non-standard authentication
I'm CERTAINLY no expert in this, but I can hopefully point you in the right
direction.
There is some doc within the FR install (and the Wiki I think) about writing
your own "modules" - I think this is what you want. Although, I think you can
do pretty much anything with rlm_perl and unlang, but nonetheless - yes, you
can write your own auth module. I don't thik it would be a separate
"listener", but just another module FR uses to auth RADIUS requests. Ie:
instead of FR using RLM_LDAP, EAP, unix, ntlm_auth, etc. - it would use
"Travis_Auth".
Not sure if that helps. If you can't find doc on "modules" LMK and I'll see if
I can track it down for you. From what I remember it's not rocket science, but
not trivial either.
G
________________________________________
From: freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org] On
Behalf Of Travis Dimmig
Sent: Wednesday, February 23, 2011 2:56 PM
To: FreeRadius users mailing list
Subject: non-standard authentication
I have a problem scenario where I need to be able to handle the authentication
of users myself. I am looking into using either rlm_perl or (preferably)
rlm_jradius to be able to write my own piece to do authentication. I believe
this is possible with either module (please correct me if I'm wrong on that, it
would stop me in my tracks). What I need to know is if when writing my own
authenticator there is a terribly complicated process of requests and responses
that I have to honor in order to make the supplicant happy, or if I can
trivially accept or reject based on the parameters of my business problem. As
a test case, I wrote a Java class for rlm_jradius that just replaced reject
packets with accept packets, to see if it would work. I found that if I hooked
into it at the 'post_auth' stage it didn't matter what my reply was, freeRadius
remembered that auth had failed and stripped all the attributes from the
response packet.
That was long winded, here is a summary of my questions. Can I write my own
piece to do authentication? Where in the freeRadius process do I list that
listener? Is there a series of requests and responses that I have to honor?
-Travis
"This email is intended to be reviewed by only the intended recipient and may
contain information that is privileged and/or confidential. If you are not the
intended recipient, you are hereby notified that any review, use,
dissemination, disclosure or copying of this email and its attachments, if any,
is strictly prohibited. If you have received this email in error, please
immediately notify the sender by return email and delete this email from your
system."
________________________________________
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1204 / Virus Database: 1435/3463 - Release Date: 02/23/11
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
