We've been running radiator using unix password authentication. I needed to add CHAP, and based on input from the list, here's what I did. I took the original, which looks up users in a file "users2" which contains all the unique check items (and a default), with "AuthType= "UNIX"". Then the username/password is checked against a unix-encrypted file, passwd2, thusly: --------------------------
# This AuthBy wil be used to authenticate anyting in the # users2 file with Auth-Type=UNIX by looking in passwd2 <AuthBy UNIX> Identifier UNIX Filename %D/passwd2 </AuthBy> <Handler> # remove the "@domain" part (if it exists) RewriteUsername s/^([^@]+).*/$1/ # remove spaces RewriteUsername s/\s//g AuthByPolicy ContinueAlways AcctLogFileName %L/detail <AuthBy SQL> # AuthSelect with empty string means dont do auth AuthSelect DBSource dbi:mysql:radius:marvin.ccis.net ...blah blah blah... </AuthBy> # Make sure they appear in the users2 file # Anyone with Auth-Type=UNIX in the users2 file will be # authenticated with the AuthBy UNIX above <AuthBy FILE> Filename %D/users2 </AuthBy> </Handler> ----------------- Now comes the sticky part.. I thought all I had to do to enable plaintext passwords (for CHAP) was add another AuthBy in the Handler, which looks up username/password pairs in a MySQL database: ----------------- # authenticate from info in the passwd3 (local) database <AuthBy SQL> DBSource dbi:mysql:nocol_replication DBUsername XXXXX DBAuth XXXXX AuthSelect select password from passwd3 where username=%0 AuthColumnDef 0, User-Password, check </AuthBy> ----------------- ..but it occurred to me around 4AM that all the check items that give our customers static IPs, subnets, and ISDN access, as well as denying access to email-only users with a "Reject" clause, are back in the old users2 file, which is not referenced in the AuthBy SQL clause. I think I could put the check items in the database, but that would be very difficult, as the SQL file is generated by Platypus, and the check items 'users2' are generated by unix, using a combination of automation and manual exceptions file, like this: ----------------- .... ickien Auth-Type = "Reject" villari Auth-Type = "Reject" whitfordcc Auth-Type = "Reject" whs Auth-Type = "Reject" willson Auth-Type = "Reject" wjinc Auth-Type = "Reject" wm Auth-Type = "Reject" wwwfaddis Auth-Type = "Reject" wwwfrankelec Auth-Type = "Reject" #BEGIN AUTO generated ISDN Users - PLAT 02/13/2003 09:46:50 lorri Auth-Type = "UNIX" User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 209.195.204.34, Framed-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP ... thesignalgw Auth-Type = "UNIX" User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 209.195.209.218, Framed-Netmask = 255.255.255.248, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP ... DEFAULT Auth-Type = "UNIX", NAS-Port-Type = Async User-Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP... ------------------------------ I guess the question here is: Is there any way I can tell the AuthBy SQL to fetch the check items from the users2 file, while using it's username and password fields for the authentication part? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.