On 02/24/2012 05:10 PM, Jesse Crayston wrote:
Trying to get my users to have the same password on a radius server, as
they do on the google apps domain.
That might be tricky.
Since you can't read the passwords from an apps domain, the only thing
you could possibly do is use it as an "oracle" i.e. send it a
username/password string, and get a yes/no reply.
This limits you to RADIUS methods that send a username/password - PAP,
or EAP-TTLS/PAP. If you want to do 802.1x, you need an EAP method, which
means EAP-TTLS/PAP, and this is not supported using the default windows
supplicant.
If you do web-auth (captive portal) then you can do PAP. You will need
to consult the docs for your captive portal for more info on that.
See here:
http://deployingradius.com/documents/protocols/oracles.html
...and for more info, here:
http://deployingradius.com/documents/protocols/compatibility.html
Assuming a PAP-based method works for you; there is no built-in support
for using an OAuth IdP as an oracle. You would need to write a script
and call it from FreeRADIUS, either via rlm_exec or inline as a
perl/python script using rlm_perl/rlm_python.
Broadly, it would look something like this:
authorize {
...
pap
}
authentication {
Auth-Type PAP {
my_script
}
}
"my_script" might be an instance of rlm_exec, e.g. in
raddb/modules/my_script:
exec my_script {
wait = yes
input_pairs = request
program = "/path/to/script %{User-Name} %{User-Password}"
}
...and the script might be something like:
#!/bin/sh
USERNAME="$1"
PASSWORD="$2"
/do/outh_to_google $USERNAME $PASSWORD
if [ $? -eq 0 ]
then
# auth success - return 0
exit 0
else
# auth failure - return 1
exit 1
fi
See the example modules in raddb/echo and raddb/exec for more info on
what external scripts can do and the return codes.
Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
