'Re: Authentication with Vendor-Specific Attribute'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Authentication with Vendor-Specific Attribute
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2021-04-20 10:05:20
Message-ID: C7D3ED1A-B667-4F84-930F-BC75B227D988 () deployingradius ! com
[Download RAW message or body]

On Apr 20, 2021, at 5:57 AM, Daniel Kastner <daniel.kastner@karakun.com> wrote:
> 
> I'm totally new to this (free)Radius stuff and trying to achieve authentication \
> based on a vendor-specific attribute send by the client. 
> I've add the custom attribute in a new dictionary file \
> /opt/share/freeradius/dictionary.myvendor: 
> VENDOR MyVendor 16132
> BEGIN-VENDOR  MyVendor
> ATTRIBUTE MyVendor -OneTimePassword 1 string
> END-VENDOR MyVendor

  That seems fine.  It's better to use the actual vendor name, though,

> Included it in the /opt/share/freeradius/dictionary:
> 
> $INCLUDE dictionary.myvendor

  That will get over-written on the next install of the server.  The installation \
process assumes that you don't edit the default dictionaries.

  You can put the $INCLUDE into raddb/dictionary, where it will not get over-written. \
The installation process assumes that you edit the files in raddb/, so it doesn't \
over-write them.

> And now trying the following in file /opt/etc/raddb/mods-config/files/authorize:
> 
> bob Cleartext-Password := "hello"
> if( &MyVendor-OneTimePassword == "123456" ) {
> Auth-Type := Accept
> Reply-Message := "Hello %{User-Name}, great to have you here!"
> } else {
> Auth-Type := Reject
> Reply-Message := "Sorry %{User-Name}, wrong OTP"
> }

  That's not the format of the "authorize" file.  See the many other examples in that \
file, and "man users" documentation for it.

  You can put the "bob" line into the "authorize" file.

  The rest has to go into raddb/sites-available/default, in the "authorize" section.  \
There are many examples of if / then / else logic in that file.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic