Hi Bino and welcome,
we use the rml-rest module of freeradius to authorize users via a REST API
<https://github.com/openwisp/django-freeradius/blob/master/django_freeradius/api/views.py>,
although it is still possible to use radius checks as well as described
here:
https://django-freeradius.readthedocs.io/en/latest/general/freeradius.html#using-radius-checks-for-authorization-information
If you need to see the freeradius configuration required to make this work,
it's also shown in the same page I just linked.
Cheers
Federico
On Thu, Oct 25, 2018 at 11:00 AM Bino Oetomo <wowo...@gmail.com> wrote:
> Dear All.
>
> I just found your great django-freeradius today.
>
> Actualy, I wrote a django application with the same function as yours back
> in october 2016.
> I guarantee there is a bunch of noodle script in it, away away from 'good
> enough' to be published.
>
> Currently, those up is used in-house.
> it also serve as a backend for freeradius DHCP.
> it's full 'rest', so that freeradius didn't need mysql access.
>
> BUT ... errhhh
> I don't satisfied with my app (and or system).
> Most important things that I hate from it :It need to provide
> 'Clear-Text-Password' to FreeRadius.
>
> Looks like your app don't need to give 'Clear-Text-Password' attribute to
> FreeRadius, could you please tell me how you do it ?
>
> Here is my FreeRadius rest config :
>
> rest {
> #
> # This subsection configures the tls related items
> # that control how FreeRADIUS connects to a HTTPS
> # server.
> #
> tls {
> }
>
> my_uri = "http://127.0.0.1:8000/hotspot/";
> my_uri_acct = "http://127.0.0.1:8001/hotspot/";
> authorize {
> uri = "${..my_uri}"
> method = 'post'
> body = 'json'
> tls = ${..tls}
> }
> authenticate {
> uri = "${..my_uri}"
> method = 'post'
> body = 'json'
> tls = ${..tls}
> }
> accounting {
> uri = "${..my_uri_acct}"
> method = 'post'
> body = 'json'
> tls = ${..tls}
> }
> post-auth {
> #uri =
> "${..my_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
> uri = "${..my_uri}"
> method = 'post'
> body = 'json'
> tls = ${..tls}
> }
>
> pool {
> start = ${thread[pool].start_servers}
>
> min = ${thread[pool].min_spare_servers}
>
> max = ${thread[pool].max_servers}
>
> spare = ${thread[pool].max_spare_servers}
>
> uses = 0
>
> retry_delay = 30
>
> lifetime = 0
>
> idle_timeout = 60
>
> }
> }
>
>
>
>
>
> and here is some from default site config
>
> authorize {
> rest
> mschap
> pap
> eap
> }
> authenticate {
> pap
> mschap
> eap
> }
>
> preacct {
> preprocess
> acct_unique
> suffix
> files
> }
>
>
> accounting {
> rest
> detail
> exec
> }
>
> post-auth {
> update {
> &reply: += &session-state:
> }
> -sql
> exec
> remove_reply_message_if_eap
> Post-Auth-Type REJECT {
> # log failed authentications in SQL, too.
> -sql
> attr_filter.access_reject
>
> # Insert EAP-Failure message if the request was
> # rejected by policy instead of because of an
> # authentication failure
> eap
>
> # Remove reply message if the response contains an EAP-Message
> remove_reply_message_if_eap
> }
> }
>
>
>
> Sincerely
> -bino-
>
> --
> You received this message because you are subscribed to the Google Groups
> "OpenWISP" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to openwisp+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to openwisp+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
