(RADIATOR) Group checking *only* with AuthBy UNIX?

Ray Van Dolson rayvd at corp.digitalpath.net
Wed Jun 15 19:24:03 CDT 2005


I'm trying to add in some authentication support for a client that is already
using Radiator.  They use AuthBy UNIX in conjunction with an AuthBy FILE to
determine group membership of users and return the appropriate reply
attributes.

However, the authentication I need to set up uses MSCHAPv2 so obviously I
cannot use UNIX authentication for this since the passwords are not in
plaintext.

The provisioning scripts this client uses creates a Unix account for other
reasons -- shell, web access, ftp, etc, and also sets the group membership
based on the account type in their billing system.  I'm not keen on changing
drastically how their process works, so I want to know if I can somehow still
make use of the user's Unix group membership, without having authentication
fail because of the non-clear-text password, and make use of the Group
returned in my reply attributes list.

For example, I have the following entry in their users file:

DEFAULT Auth-Type = System, Group = wirccrc
        MS-MPPE-Encryption-Policy = Encryption-Required,
        Acct-Interim-Interval = 300,
        Ascend-Data-Rate = 4000000,
        Ascend-Xmit-Rate = 2000000

With the current setup, this will attempt to authenticate against the AuthBy
block with identifier of System -- which happens to be an AuthBy UNIX block.
In an ideal world, the authentication succeeds and the user's group membership
is returned.  If it matches wirccrc, the attributes listed above are returned.

However, since I'm using MSCHAPv2, authentication fails.  Any "default" way to
bypass the authentication failure and pull in the group for use with the Group
check attribute?

As far as I understand I can only use Group with AuthBy types of SYSTEM or
UNIX, so if the above isn't easily possible, some alternate suggestions would
be appreciated.

Thanks,
Ray

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list