Нужна аутентификация пользователей в plain-text (без PAP или CHAP), возможно ли это?
Если нет, то как во FreeRADIUS, который аутентифицирует пользователей D-Link и прочих производителей в plain-text c использованием MySQL и т.п. прописать, чтобы он мог распознавать CHAP или PAP (что там именно используется, кстати?).
В табличке device хранятся ip устройств и их radius_shared_secrets, в табличке device_admins имена пользователей, не зашифрованные пароли и уровни доступа.
Конфиг радиуса такой:
Код: Выделить всё
server sw-auth {
# Listen for Access-Requests
listen {
ipaddr = 1.2.3.4
#ipv6addr = ::
#interface = eth0
port = 1816
type = auth
clients = acc_per_socket_clients
}
authorize {
# Process the request
update control {
Tmp-Integer-0 = "%{sql: SELECT level FROM device_admins WHERE login = '%{request:User-Name}' AND (passwd = '%{request:User-Password}'
}
if ("%{control:Tmp-Integer-0}" != 0) {
if ("%{control:Tmp-Integer-0}" == 3) { # admin
update control {
Tmp-Integer-1 = 5
Tmp-Integer-2 = 6 # Administrative-User
Tmp-String-0 = "shell:priv-lvl=15"
}
}
elsif ("%{control:Tmp-Integer-0}" == 2) { # operators
update control {
Tmp-Integer-1 = 4
Tmp-Integer-2 = 0 # not set
Tmp-String-0 = "shell:priv-lvl=14"
}
}
elsif ("%{control:Tmp-Integer-0}" == 1) { # user
update control {
Tmp-Integer-1 = 3
Tmp-Integer-2 = 1 # Login-User
Tmp-String-0 = "shell:priv-lvl=1"
}
}
update reply {
dlink-Privelege-Level = "%{control:Tmp-Integer-1}"
}
if ("%{control:Tmp-Integer-2}" != 0) {
update reply {
Service-Type = "%{control:Tmp-Integer-2}"
}
}
if ("%{request:Cisco-AVPair}") {
update reply {
Cisco-AVPair = "%{control:Tmp-String-0}"
}
}
update control {
Auth-Type = Accept
}
ok
}
else {
update control {
Auth-Type = Reject
}
reject
}
update reply {
NAS-IP-Address = "%{request:NAS-IP-Address}"
#NAS-IPv6-Address = "%{request:NAS-IPv6-Address}"
}
}
authenticate {
ok
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
ok
}
}
# Define a network where clients may be dynamically defined.
clients acc_per_socket_clients {
client acc_dynamic_client {
ipaddr = 0.0.0.0
netmask = 0
# Define the virtual server used to discover dynamic clients.
dynamic_clients = acc_dynamic_client_server
# Define the lifetime (in seconds) for dynamic clients.
# They will be cached for this lifetime, and deleted afterwards.
# If the lifetime is "0", then the dynamic client is never
# deleted. The only way to delete the client is to re-start
# the server.
lifetime = 60
}
}
# This is the virtual server referenced above by "dynamic_clients".
server acc_dynamic_client_server {
# The only contents of the virtual server is the "authorize" section.
authorize {
# Process the request
update control {
Tmp-String-0 = "%{sql: SELECT radius_shared_secret FROM device WHERE ip = '%{request:Packet-Src-IP-Address}'}"
}
if ("%{control:Tmp-String-0}") {
update control {
# Echo the IP address of the client.
FreeRADIUS-Client-IP-Address = "%{request:Packet-Src-IP-Address}"
# require_message_authenticator
#FreeRADIUS-Client-Require-MA = no
# shortname
# required!!!
FreeRADIUS-Client-Shortname = "%{request:Packet-Src-IP-Address}"
# nastype
#FreeRADIUS-Client-NAS-Type = "other"
# secret
FreeRADIUS-Client-Secret = "%{control:Tmp-String-0}"
}
# Tell the caller that the client was defined properly.
# If the authorize section does NOT return "ok", then
# the new client is ignored.
ok
}
else{
reject
}
}
}