On Thursday, October 25, 2018 at 11:58:22 AM UTC+2, Bino Oetomo wrote: > > Dear Federico sir. > > I really appreciate your very fast response. > > I think I misunderstood the docs. > > So, basically it's freeradius's requirement to all backend to provide > 'clear-text-password' right ? >
Passwords get to freeradius in clear over TLS (these are also encrypted with the shared secret of freeradius BTW) > If that so, > How you provide it since I don't see any 'clear text' field in your models? > How you get 'clear text' password from django password storage ? > > Passwords are stored in the user table with the default hashing algorithm used by django <https://docs.djangoproject.com/en/2.1/topics/auth/passwords/> and are checked via the django internal authentication API (eg: check_password()). > Note : > Currently, since my app only support PAP ... i just use > django.contrib.auth.authenticate ... and whenever valid I just use that PAP > password as 'Clear-Text-Password' attribute. > But if I want CHAP ... my App will not got clear-text-password from > Freeradius call ... we need to 'count' it. So I will not able to use > 'django.contrib.auth.authenticate' to authenticate user agains django user > table. > > Sincerely > -bino- > > On Thursday, October 25, 2018 at 4:22:07 PM UTC+7, Federico Capoano wrote: >> >> Hi Bino and welcome, >> >> we use the rml-rest module of freeradius to authorize users via a REST >> API >> <https://github.com/openwisp/django-freeradius/blob/master/django_freeradius/api/views.py>, >> >> although it is still possible to use radius checks as well as described >> here: >> >> https://django-freeradius.readthedocs.io/en/latest/general/freeradius.html#using-radius-checks-for-authorization-information >> >> If you need to see the freeradius configuration required to make this >> work, it's also shown in the same page I just linked. >> >> Cheers >> Federico >> >> On Thu, Oct 25, 2018 at 11:00 AM Bino Oetomo <wow...@gmail.com> wrote: >> >>> Dear All. >>> >>> I just found your great django-freeradius today. >>> >>> Actualy, I wrote a django application with the same function as yours >>> back in october 2016. >>> I guarantee there is a bunch of noodle script in it, away away from >>> 'good enough' to be published. >>> >>> Currently, those up is used in-house. >>> it also serve as a backend for freeradius DHCP. >>> it's full 'rest', so that freeradius didn't need mysql access. >>> >>> BUT ... errhhh >>> I don't satisfied with my app (and or system). >>> Most important things that I hate from it :It need to provide >>> 'Clear-Text-Password' to FreeRadius. >>> >>> Looks like your app don't need to give 'Clear-Text-Password' attribute >>> to FreeRadius, could you please tell me how you do it ? >>> >>> Here is my FreeRadius rest config : >>> >>> rest { >>> # >>> # This subsection configures the tls related items >>> # that control how FreeRADIUS connects to a HTTPS >>> # server. >>> # >>> tls { >>> } >>> >>> my_uri = "http://127.0.0.1:8000/hotspot/" >>> my_uri_acct = "http://127.0.0.1:8001/hotspot/" >>> authorize { >>> uri = "${..my_uri}" >>> method = 'post' >>> body = 'json' >>> tls = ${..tls} >>> } >>> authenticate { >>> uri = "${..my_uri}" >>> method = 'post' >>> body = 'json' >>> tls = ${..tls} >>> } >>> accounting { >>> uri = "${..my_uri_acct}" >>> method = 'post' >>> body = 'json' >>> tls = ${..tls} >>> } >>> post-auth { >>> #uri = >>> "${..my_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth" >>> uri = "${..my_uri}" >>> method = 'post' >>> body = 'json' >>> tls = ${..tls} >>> } >>> >>> pool { >>> start = ${thread[pool].start_servers} >>> >>> min = ${thread[pool].min_spare_servers} >>> >>> max = ${thread[pool].max_servers} >>> >>> spare = ${thread[pool].max_spare_servers} >>> >>> uses = 0 >>> >>> retry_delay = 30 >>> >>> lifetime = 0 >>> >>> idle_timeout = 60 >>> >>> } >>> } >>> >>> >>> >>> >>> >>> and here is some from default site config >>> >>> authorize { >>> rest >>> mschap >>> pap >>> eap >>> } >>> authenticate { >>> pap >>> mschap >>> eap >>> } >>> >>> preacct { >>> preprocess >>> acct_unique >>> suffix >>> files >>> } >>> >>> >>> accounting { >>> rest >>> detail >>> exec >>> } >>> >>> post-auth { >>> update { >>> &reply: += &session-state: >>> } >>> -sql >>> exec >>> remove_reply_message_if_eap >>> Post-Auth-Type REJECT { >>> # log failed authentications in SQL, too. >>> -sql >>> attr_filter.access_reject >>> >>> # Insert EAP-Failure message if the request was >>> # rejected by policy instead of because of an >>> # authentication failure >>> eap >>> >>> # Remove reply message if the response contains an EAP-Message >>> remove_reply_message_if_eap >>> } >>> } >>> >>> >>> >>> Sincerely >>> -bino- >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "OpenWISP" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to openwisp+u...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.