Thanks,Alan. To create a new attribute, I did the following things. (1).I edited the file "src/include/radius.h" and add a line like "#define PW_AES_PASSWORD 192" . (2).I also edited the file "/usr/local/share/freeradius/dictionary" and insert a line like "ATTRIBUTE AES-PASSWORD 192 octets " . (3).Finally, I recompiled Freeradius . Is it right and enough to create a new attribute "AES-PASSWORD"?
To create a new module,I did the following things. (1).Icopy src/rlm_example/rlm_example.c to another dictory. (2).amend the rlm_example to make it support AES encryption algorithm, main changes are as follow: static int example_authorize(void *instance, REQUEST *request) { /* quiet the compiler */ instance = instance; request = request; /* * Look for the 'state' attribute. */ // state = pairfind(request->packet->vps, PW_STATE); // if (state != NULL) { // DEBUG("rlm_example: Found reply to access challenge"); // return RLM_MODULE_OK; // } /* * Create the challenge, and add it to the reply. */ // reply = pairmake("Reply-Message", "This is a challenge", T_OP_EQ); // pairadd(&request->reply->vps, reply); // state = pairmake("State", "0", T_OP_EQ); // pairadd(&request->reply->vps, state); /* * Mark the packet as an Access-Challenge packet. * * The server will take care of sending it to the user. */ // request->reply->code = PW_ACCESS_CHALLENGE; // DEBUG("rlm_example: Sending Access-Challenge."); // return RLM_MODULE_HANDLED; return RLM_MODULE_OK; } note: I have commented main part of lines of funtion example_authorize. static int example_authenticate(void *instance, REQUEST *request) { VALUE_PAIR *passwd_item; char pass_str[MAX_STRING_LEN]; VALUE_PAIR *module_fmsg_vp; char module_fmsg[MAX_STRING_LEN]; /* quiet the compiler */ instance = instance; request = request; if (!request->username) { radlog(L_AUTH, "rlm_aes: Attribute \"User-Name\" is required for authentication.\n"); return RLM_MODULE_INVALID; } if (!request->password) { radlog(L_AUTH, "rlm_aes: Attribute \"AES-Password\" is required for authentication."); return RLM_MODULE_INVALID; } if (request->password->attribute != PW_AES_PASSWORD) { radlog(L_AUTH, "rlm_aes: Attribute \"AES-Password\" is required for authentication. Cannot use \"%s\".", request->password->name); return RLM_MODULE_INVALID; } if (request->password->length == 0) { radlog(L_ERR, "rlm_aes: empty password supplied"); return RLM_MODULE_INVALID; } /* * * Don't print out the CHAP password here. It's binary crap. * */ DEBUG(" rlm_aes: login attempt by \"%s\" with AES password", request->username->strvalue); if ((passwd_item = pairfind(request->config_items, PW_PASSWORD)) == NULL){ DEBUG(" rlm_aes: Could not find clear text password for user %s",request->username->strvalue); snprintf(module_fmsg,sizeof(module_fmsg),"rlm_aes: Clear text password not available"); module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); pairadd(&request->packet->vps, module_fmsg_vp); return RLM_MODULE_INVALID; } DEBUG(" rlm_aes: Using clear text password %s for user %s authentication.", passwd_item->strvalue, request->username->strvalue); rad_aes_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item); if (memcmp(pass_str+1,request->password->strvalue+1,CHAP_VALUE_LENGTH) != 0){ DEBUG(" rlm_aes: Pasword check failed"); snprintf(module_fmsg,sizeof(module_fmsg),"rlm_aes: Wrong user password"); module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); pairadd(&request->packet->vps, module_fmsg_vp); return RLM_MODULE_REJECT; } DEBUG(" rlm_aes: chap user %s authenticated succesfully",request->username->strvalue); return RLM_MODULE_OK; } note: I have use rad_aes_encode(request->packet,pass_str,request->password->strvalue[0],passwd_item); to enable AES password. (3). edit the src/lib/radiusc.c and insert my funtion rad_aes_encode. (4). recompile Freeradius. The following is part of result to the command " radiusd -X": Module: Loaded example example: integer = 1 example: boolean = no example: string = "(null)" Module: Instantiated example (example) But when I send packets like follow to Freeradius server: +-----------------------------------------------------------------------------------+ | UserName="test" | ID = n | length = m | +-------------------------------------------------------------------------------------------------------------------------------+ | 192(Identify "AES-PASSWORD")| length =19 | ID = n | 16 Bytes AES encrypted text | +-------------------------------------------------------------------------------------------------------------------------------- | .......... | +----------------------------------------------------------------------- I got the following message: WARNING: Malformed RADIUS packet from host 202.117.7.223: packet attributes do NOT exactly fill the packet --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. Thanks for any suggestion! 2007/3/14, Alan DeKok <[EMAIL PROTECTED]>:
yao guoxian wrote: > Thanks,Alan. > But I have a few questions. > First, if I create a new attribute "My-Aes-Password" and include it > in the Access-Requet packet, I should not include the attributes such > as "User-Password" or "Chap-Password".Is it right? Yes. > The second question is about how to write modules. There is documentation. See "rlm_example", for one. > Sorry to ask the > same question,but I want to verify my plan to see if it is pratical. The > plan is as follow: I dont amend the module "rlm_chap" , I just copy all > files in the ./src/modules/rlm_chap/ to a new dictory "rlm_aes" and > rename files rlm_chap.* to rlm_aes.*. Then I edit rlm-chap.c to alter > it to use AES to analyze the request packet. Is it pratical? Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html