Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Anton Voronin [EMAIL PROTECTED] wrote: Well, then I guess, the problem is to replace User-Password, NT-Password and LM-Password in request-config_items pairlist (using some external module) at the authorization stage so that chained rlm_pap/rlm_chap/rlm_mschap modules could check against them during authentication stage, like this: Huh? Why? If the user supplies a PAP password (User-Password), and the server has only an NT/LM password, then the PAP module can do the authentication itself. This requires minor code changes to the module. If the user supplies a CHAP password, and the server has only an NT/LM password, then the server CANNOT authenticate the user. If the user supplies an MS-CHAP password, and the server has only an NT/LM password, then the MS-CHAP module already works. In none of these cases is a complex fail-over configuration required. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Well, then I guess, the problem is to replace User-Password, NT-Password and
LM-Password in request-config_items pairlist (using some external module) at
the authorization stage so that chained rlm_pap/rlm_chap/rlm_mschap modules
could check against them during authentication stage, like this:
modules {
...
exec_new ext_script { # an abstract exec-like module that fetches passwords
and installs them into request-config_items
wait = yes
program = /usr/local/sbin/AuthRadius %Z
}
...
}
authorize {
...
ext_script
...
}
authenticate {
Auth-Type EXEC {
group {
pap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
chap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
mschap {
fail = 1
invalid = 2
reject = 3
noop = 4
ok = return
updated = return
userlock = return
handled = return
}
}
}
Is it ever possible (even with rlm_exec modification)?
27 2004 21:19 Alan DeKok (a):
Anton Voronin [EMAIL PROTECTED] wrote:
Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to
authenticate against a password (or NT/LM hash) taken from an external
source (for example, using rlm_exec or rlm_perl)?
MS-CHAP does this already. If you would have tried it, you would
see that it works.
It's impossible to do for CHAP.
The PAP module could do it I guess, but it would require code
changes.
--
Anton Voronin
Intersvyaz JSC
http://www.chelcom.ru
+7 (3512) 655199
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate via rlm_pap/rlm_chap/rlm_mschap against external password
Anton Voronin [EMAIL PROTECTED] wrote: Is it possible to somehow make rlm_pap, rlm_chap or rlm_mschap to authenticate against a password (or NT/LM hash) taken from an external source (for example, using rlm_exec or rlm_perl)? MS-CHAP does this already. If you would have tried it, you would see that it works. It's impossible to do for CHAP. The PAP module could do it I guess, but it would require code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
