> > update request { > > User-Name := whatever > > User-Password := wh4t3v3r > > } > > > > in the pre-proxy section work? No need for a module then... And if I may > > ask, why would you need to modify name and password for proxying? If it's > > just about cutting out realms, there is an excellent realm module to do > > that for you. > > Yes, I can do that for static modifications, but in my case I have to > split the password and extract N bytes from it, which is a One-time > password for 2 factor authentication. I have to receive AUTH_ACK from > main radius server using the original password and then process the > second authentication stage with a 2 factor authentication manager using > that N bytes long OTP. (Connecting to 2FA server, sending OTP and > receiving result) This is why I need to do it in a module.
unlang can do WAY more than just static replacements. Use a regular expression. if ( %{request:User-Password} =~ (.*)(......) ) update request { User-Password := %{2} } ... or something close to that. My syntax may be imperfect, maybe someone can provide a more bullet-proof/correct one. This here is supposed to mean: if the password is at least 6 characters long, change the password so that it only is those last six characters (%{1} would be: only the first part, without the trailing OTP). If it is less than six, this expression does nothing. I guess in your scenario you would want to discard those outright, because they don't contain a valid OTP. Add another rule for this case then. I'm ssuming your "N" to be = 6 because that's a common length for OTPs. Put more/less dots at the end of the regexp if you have a different setup. > Now, any ideas on which of the user-password vp's I have to change ? I'm trying to prepare you for the tough conclusion that you may not need any code changes here at all. That's why I changed the recipient to -users, not -devel. > I know this is ugly. So, If I define my own attributes, is it necessary > for main RADIUS server (which we proxy to) to have modified dictionary > files ? or it will simply ignore those unknown attributes ? It should. See RFC2865 section 5.26 and RFC5080 section 2.5 for details. But, to be honest, the pragmatically best approach is: TRY IT. Define a VSA, send it, and look what happens. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html