(RADIATOR) DecryptPassword
Hugh Irvine
hugh at open.com.au
Fri Oct 13 18:12:51 CDT 2006
Hello Zak -
Could you please tell me the name of the registered company that has
purchased this copy of Radiator?
Please reply to me directly.
In answer to your question, you should use a ReplyHook in the AuthBy
RADIUS clause to do whatever you need to do when the proxy reply
comes back from the remote radius server. There is an example showing
how to do this in "goodies/hooks.txt" in the Radiator 3.15 distribution.
regards
Hugh
On 13 Oct 2006, at 20:32, Zak McGregor wrote:
> Hi all
>
> I have the following specified in my config file:
> LogDir /var/log/radius
> DbDir /etc/radiator
> Trace 4
> BindAddress *********,127.0.0.1
> DictionaryFile /etc/radiator/dictionary
> AuthPort 1812
> AcctPort 1813
> <Client 127.0.0.1>
> Secret ********
> </Client>
> <AuthBy FILE>
> Identifier RejectUser
> Filename /etc/radiator/reject.user
> </AuthBy>
> <Handler NAS-Port-Type=ISDN>
> AuthBy RejectUser
> </Handler>
> <Handler Realm=********>
> AuthByPolicy ContinueWhileReject
> <AuthBy EXTERNAL>
> DecryptPassword
> Command /usr/local/bin/AuthCGPExt.pl
> </AuthBy>
> <AuthBy RADIUS>
> Synchronous
> Host 196.37.50.98
> Secret x-streamsucks!
> AuthPort 1888
> NoForwardAccounting
> DefaultReply NAS-Port-Type=Async
> DefaultSimultaneousUse 1
> </AuthBy>
> </Handler>
>
> I have replaced potentially sensitive information with "*****", but
> realm is fine & ip address info is all working correctly.
> Currently, we
> are proxying through to another radius server on a custom port. I am
> trying to implement an external auth program to verify users using
> different criteria than the radius server on port 1888 can currently
> handle. Unfortunately, the DecryptPassword declaration doesn't seem to
> be working, as the external authprogram still gets
> User-Password="<nnn><nnn><nnn>....|" (always seems to end with a
> pipe).
> How can I get the plaintext password to the external program OR how
> can
> I make Radiator require both AuthBy declarations to be satisfied
> before
> allowing access? I could then leave the proxied server to handle the
> actual password verification, and just use my external program to
> verify other user details and fail on things like when the user's
> subscription expired.
>
> Thanks!
>
> Cheers
>
> Zak
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list