Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Anton Voronin [EMAIL PROTECTED] wrote: Well, then I guess, the problem is to replace User-Password, NT-Password and LM-Password in request-config_items pairlist (using some external module) at the authorization stage so that chained rlm_pap/rlm_chap/rlm_mschap modules could check against them during authentication stage, like this: Huh? Why? If the user supplies a PAP password (User-Password), and the server has only an NT/LM password, then the PAP module can do the authentication itself. This requires minor code changes to the module. If the user supplies a CHAP password, and the server has only an NT/LM password, then the server CANNOT authenticate the user. If the user supplies an MS-CHAP password, and the server has only an NT/LM password, then the MS-CHAP module already works. In none of these cases is a complex fail-over configuration required. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Well, then I guess, the problem is to replace User-Password, NT-Password and LM-Password in request-config_items pairlist (using some external module) at the authorization stage so that chained rlm_pap/rlm_chap/rlm_mschap modules could check against them during authentication stage, like this: modules { ... exec_new ext_script { # an abstract exec-like module that fetches passwords and installs them into request-config_items wait = yes program = /usr/local/sbin/AuthRadius %Z } ... } authorize { ... ext_script ... } authenticate { Auth-Type EXEC { group { pap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } chap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } mschap { fail = 1 invalid = 2 reject = 3 noop = 4 ok = return updated = return userlock = return handled = return } } } Is it ever possible (even with rlm_exec modification)? 27 2004 21:19 Alan DeKok (a): Anton Voronin [EMAIL PROTECTED] wrote: Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to authenticate against a password (or NT/LM hash) taken from an external source (for example, using rlm_exec or rlm_perl)? MS-CHAP does this already. If you would have tried it, you would see that it works. It's impossible to do for CHAP. The PAP module could do it I guess, but it would require code changes. -- Anton Voronin Intersvyaz JSC http://www.chelcom.ru +7 (3512) 655199 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Anton Voronin [EMAIL PROTECTED] wrote: Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to authenticate against a password (or NT/LM hash) taken from an external source (for example, using rlm_exec or rlm_perl)? MS-CHAP does this already. If you would have tried it, you would see that it works. It's impossible to do for CHAP. The PAP module could do it I guess, but it would require code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html