On 11/24/2012 08:40 PM, Hoggins! wrote:
I don't know if I understand the process correctly : as far as I
understand, an authentication request is handled successively by the
listed modules in the authorize {} section, right ?

So, now that I figured that I have to use PAP as phase2, I can have the
cleartext password. But I don't know how I can provide it to the PAP
module : it complains that no "known good" password had been found for
the user.

What should my executed program return to say that the user is granted
access ?

It sounds like you're still a bit confused about what the *client* sends, versus what the *server* knows.

In your original email, you said you were doing 802.1x against a wi-fi point, using certificates and credentials.

However, you *didn't* specify what EAP methods your clients are using.

In RADIUS, the *client* chooses the authentication method, and the authentication method defines:

 1. What the client sends
 2. What the server needs to know

What EAP method(s) are you using?

See this URL for more info:

http://deployingradius.com/documents/protocols/compatibility.html

And more specifically:

http://deployingradius.com/documents/protocols/oracles.html

If you are using an "exec" script, you are using an "oracle". It can only authenticate a user based on what the *client* sends, and unless you are using a PAP-based method on the client, the client doesn't send a password.

What you want might be impossible.

Regards,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to