On 11/24/2012 08:40 PM, Hoggins! wrote:
I don't know if I understand the process correctly : as far as I
understand, an authentication request is handled successively by the
listed modules in the authorize {} section, right ?
So, now that I figured that I have to use PAP as phase2, I can have the
cleartext password. But I don't know how I can provide it to the PAP
module : it complains that no "known good" password had been found for
the user.
What should my executed program return to say that the user is granted
access ?
It sounds like you're still a bit confused about what the *client*
sends, versus what the *server* knows.
In your original email, you said you were doing 802.1x against a wi-fi
point, using certificates and credentials.
However, you *didn't* specify what EAP methods your clients are using.
In RADIUS, the *client* chooses the authentication method, and the
authentication method defines:
1. What the client sends
2. What the server needs to know
What EAP method(s) are you using?
See this URL for more info:
http://deployingradius.com/documents/protocols/compatibility.html
And more specifically:
http://deployingradius.com/documents/protocols/oracles.html
If you are using an "exec" script, you are using an "oracle". It can
only authenticate a user based on what the *client* sends, and unless
you are using a PAP-based method on the client, the client doesn't send
a password.
What you want might be impossible.
Regards,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html