Alan DeKok wrote: > Please read the docs & man page for rlm_passwd. It does *not* read > /etc/passwd.
I read the doc/rlm_passwd doc, but I'll go over it again and take a look at the code as well. Being called rlm_passwd, I may have assumed it used /etc/passwd before I even started reading it, thus tainting what I read. > I suggest writing down the specific situations involved. Include > inputs and outputs. That will help drive the design. So here is the specific requirement. * I need FreeRadius to listen on two different udp ports for auth requests. This is because we presently allow both password authentication with users file authorization *and* users file authorization only modes. The latter is used to support certificate-based authenticate via our Cisco 3000-series concentrators (the Cisco authenticates you against your certificate and radiusd decides whether you're actually authorized to use that NAS). * The port can't be shared because in the authorization-only method, the password that gets sent is your username, and because no VSAs or other identifying attributes get sent with that type of request. Therefore, if I shared the port, anyone could authenticate as user "bob" with password "bob". * In our case, I am using port 1645 for authentication + authorization and port 1812 for authorization only. * I need FreeRadius to proxy the authentication requests it receives on the authentication + authorization port, and do local users file authorization, and return any Connect-Info, Filter, Class, etc strings related to that user/nas pair back to the originating NAS. * The authorization-only requests just need to see if the user is in the users file for that NAS/Huntgroup, and return any related attributes (eg. Connect-Info, filter, Class, etc) to the originating NAS. * All users can use both auth methods (ie. nobody can do only certificate authentication but not have a corresponding password). * Users may have access for multiple NASes. * Not all users have access for all (or the same) NASes. * I "need" to have only one entry in the users file for each user. I already have this working with two entries, but it feels inefficient and just isn't pretty. I *think* this covers it appropriately. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html