Re: radius server supporting LDAP

To: Jeremy Lunn <jeremy@austux.net>
Cc: debian-isp@lists.debian.org
Subject: Re: radius server supporting LDAP
From: Craig Sanders <cas@taz.net.au>
Date: Tue, 9 Jan 2001 13:33:04 +1100
Message-id: <[🔎] 20010109133304.B29135@taz.net.au>
In-reply-to: <[🔎] 20010108185016.B15942@europa.austux.net>; from jeremy@austux.net on Mon, Jan 08, 2001 at 06:50:16PM +1100
References: <[🔎] 20010108185016.B15942@europa.austux.net>

On Mon, Jan 08, 2001 at 06:50:16PM +1100, Jeremy Lunn wrote:
> I am just wondering if anyone knows of any radius servers that support
> LDAP for configuration.  Cistron Radius sounds good, but it can only
> use LDAP for authentication, not for other configuration options such
> as static IP addresses.
>
> Can anyone advise my of a radius server that supports all configuring
> for users to be done using LDAP?

you could check whether the beta freeradius (successor to cistron
radiusd) supports it. http://www.freeradius.org/

alternatively, you could use cistron's Exec-Program-Wait feature. it
allows you to run an external script for authentication and to add
extra A/V pairs. see /usr/share/doc/radiusd-cistron/README.gz in the
cistron-radiusd package.

an excerpt:

  Exec-Program          string          program to execute after authentication
  Exec-Program-Wait     string          ditto, but wait for program to finish
                                        before sending back auth. reply

  Exec-Program can take arguments. You can use macros in the arguments:

  Taken from the original request:
    %p   Port number
    %n   NAS IP address
    %u   User name
    %a   Protocol (SLIP/PPP)
    %s   Speed (connect string - eg "28800/V42.BIS")
    %i   Calling Station ID

  Taken from the reply as defined thusfar:
    %f   Framed IP address
    %c   Callback-Number
    %t   MTU

  For example, use the following entry for someone who has BSMTP (queued
  SMTP) service. "brunq" is the program that runs the SMTP queue.

  robert        Service-Type = Framed-User
                Exec-Program = "/usr/local/sbin/brunq -h %f delta",
                Fall-Through = 1

  The output from Exec-Program-Wait is parsed by the radius server. If
  it looks like Attribute/Value pairs, they are decoded and added to the
  reply sent to the NAS. This way, you can for example set Session-Timeout.

  For backwards compatibility, if the output doesn't look like valid
  radius A/V pairs, the output is taken as a message and added to the
  reply sent to the NAS as Port-Message.

  If Exec-Program-Wait returns a non-zero exit status, access will be
  denied to the user. With a zero-exit status, access is granted.

craig

--
craig sanders

Reply to:

References:
- radius server supporting LDAP
  - From: Jeremy Lunn <jeremy@austux.net>

Prev by Date: Re: Detecting a down link and rerouting
Next by Date: Re: Detecting a down link and rerouting
Previous by thread: Re: radius server supporting LDAP
Next by thread: IPlanet Web Server with PHP4
Index(es):
- Date
- Thread