CHAP Authentication with rlm_perl module

classic Classic list List threaded Threaded
9 messages Options
| Threaded
Open this post in threaded view
|

CHAP Authentication with rlm_perl module

imdadk
Dear all,

i am using perl module, its working all like exec module but no doubt its
increased the performance on high load. But i have some queries when i use
CHAP authentication method with perl module.


In CHAP authentication i can't verify the password with Cleartext-Password,
right?
That's why i set RADCHECK attribute Cleartext-Password="password" and after
that freeradius verify them with authenticator and all. and if password
doesn't matched than its return Reject.

But if i want to accept those user ( who have wrong password ) with special
disabled framed-ip than how can i??


Thanks all,

Imdad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: CHAP Authentication with rlm_perl module

Alan DeKok-2
On May 14, 2020, at 7:00 PM, Imdad Hasan <[hidden email]> wrote:
> i am using perl module, its working all like exec module but no doubt its
> increased the performance on high load. But i have some queries when i use
> CHAP authentication method with perl module.

  The answer is "don't do CHAP with Perl".  Instead, let FreeRADIUS do the authentication.

>
> In CHAP authentication i can't verify the password with Cleartext-Password,
> right?

  You can.  The CHAP module takes care of this.

> That's why i set RADCHECK attribute Cleartext-Password="password" and after
> that freeradius verify them with authenticator and all. and if password
> doesn't matched than its return Reject.

  Yes, that works.

> But if i want to accept those user ( who have wrong password ) with special
> disabled framed-ip than how can i??

  It's easy, but a little weird.  In the "authenticate" section, do:

        Auth-Type CHAP {
                chap {
                        reject = 1
                }
                if (reject) {
                        update reply {
                                Framed-IP-Address := 192.0.2.128
                        }
                        ok
                }
        }

  And that should do it.

  Then, make sure that you're not over-writing that Framed-IP-Address later.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: CHAP Authentication with rlm_perl module

Alan DeKok-2
In reply to this post by imdadk
On May 15, 2020, at 12:11 PM, Imdad Hasan <[hidden email]> wrote:
>
> So, if i want to make the framed-ip with dynamic value than how can i do
> that.?

  The server has IP pools you can use.  They are well documented.

  If you have a *specific* question, please ask.

> And i seen one vendor that use the freeradius and that use own module in
> perl for CHAP authentication. For MSCHAP and EAP its using built in
> system's (FreeRADIUS) module.
>
> Is that possible?

  You're welcome to read the RFCs and implement CHAP yourself.  Why you would waste time doing that, I don't know.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: CHAP Authentication with rlm_perl module

imdadk
In reply to this post by imdadk
Ok so, my specific question is i can't send some other attributes value
with my logic (means dynamic) when CHAP rejects the user due to wrong
password??

Thanks  Alan

On Fri, May 15, 2020 at 9:41 PM Imdad Hasan <[hidden email]>
wrote:

> So, if i want to make the framed-ip with dynamic value than how can i do
> that.?
>
> And i seen one vendor that use the freeradius and that use own module in
> perl for CHAP authentication. For MSCHAP and EAP its using built in
> system's (FreeRADIUS) module.
>
> Is that possible?
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: CHAP Authentication with rlm_perl module

Alan DeKok-2

> On May 15, 2020, at 2:10 PM, Imdad Hasan <[hidden email]> wrote:
>
> Ok so, my specific question is i can't send some other attributes value
> with my logic (means dynamic) when CHAP rejects the user due to wrong
> password??

  I gave you an example of how to do something when CHAP returns reject.  This "something" can be running the Perl module.

  Please stop expecting us to spoon-feed you every little detail.  That's just not going to happen.

  Now go spend some time *trying* things.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: CHAP Authentication with rlm_perl module

imdadk
In reply to this post by imdadk
Sorry Alan

really i tried that and after i tells you.. but its ok i will try.. sorry
if you think this is stupid questions than

Again Sorry from bottom of my heart.

Thanks Alan

On Fri, May 15, 2020 at 11:40 PM Imdad Hasan <[hidden email]>
wrote:

> Ok so, my specific question is i can't send some other attributes value
> with my logic (means dynamic) when CHAP rejects the user due to wrong
> password??
>
> Thanks  Alan
>
> On Fri, May 15, 2020 at 9:41 PM Imdad Hasan <[hidden email]>
> wrote:
>
>> So, if i want to make the framed-ip with dynamic value than how can i do
>> that.?
>>
>> And i seen one vendor that use the freeradius and that use own module in
>> perl for CHAP authentication. For MSCHAP and EAP its using built in
>> system's (FreeRADIUS) module.
>>
>> Is that possible?
>>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: CHAP Authentication with rlm_perl module

Alan DeKok-2


> On May 15, 2020, at 2:56 PM, Imdad Hasan <[hidden email]> wrote:
>
> Sorry Alan
>
> really i tried that and after i tells you.. but its ok i will try.. sorry
> if you think this is stupid questions than
>
> Again Sorry from bottom of my heart.

  Please just *try* something.  And ask *specific* questions as I suggested.

  If your questions make it clear that you didn't try anything, then there's no reason for us to help you.  We just can't administer your systems for you.  You need to understand how they work.  Which means spending time reading the documentation, and *trying* things.

  And read this about asking good questions:  http://wiki.freeradius.org/list-help

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: CHAP Authentication with rlm_perl module

imdadk
In reply to this post by imdadk
Thanks,

 I tried, its working fine for CHAP. I set the perl call on reject. and in
perl i write a logic for the rejected users.

But the same logic is not working for MS-CHAP. At client side (Windows PC)
pppoe dialer shows error like "It was not possible to verify identity of
server".

And in FR its shows terminate-cause = User-Request. means once start the
accounting and stop. no issue in authentication.

On Sat, May 16, 2020 at 12:26 AM Imdad Hasan <[hidden email]>
wrote:

> Sorry Alan
>
> really i tried that and after i tells you.. but its ok i will try.. sorry
> if you think this is stupid questions than
>
> Again Sorry from bottom of my heart.
>
> Thanks Alan
>
> On Fri, May 15, 2020 at 11:40 PM Imdad Hasan <[hidden email]>
> wrote:
>
>> Ok so, my specific question is i can't send some other attributes value
>> with my logic (means dynamic) when CHAP rejects the user due to wrong
>> password??
>>
>> Thanks  Alan
>>
>> On Fri, May 15, 2020 at 9:41 PM Imdad Hasan <[hidden email]>
>> wrote:
>>
>>> So, if i want to make the framed-ip with dynamic value than how can i do
>>> that.?
>>>
>>> And i seen one vendor that use the freeradius and that use own module in
>>> perl for CHAP authentication. For MSCHAP and EAP its using built in
>>> system's (FreeRADIUS) module.
>>>
>>> Is that possible?
>>>
>>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: CHAP Authentication with rlm_perl module

Alan DeKok-2
On May 16, 2020, at 1:33 PM, Imdad Hasan <[hidden email]> wrote:
> I tried, its working fine for CHAP. I set the perl call on reject. and in
> perl i write a logic for the rejected users.

  Good to hear.

> But the same logic is not working for MS-CHAP. At client side (Windows PC)
> pppoe dialer shows error like "It was not possible to verify identity of
> server".

  Yes.  It's impossible to do the same thing with MS-CHAP.  Part of MS-CHAP is that the client proves to the server that it knows the password just like CHAP.  However, MS-CHAP also has the server prove to the client that it knows the password.

  Since the server doesn't know the password, it can't issue this proof, and the client tears down the connection.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html