Hello Joe,
We do that here. We use and recommend Arjan de Vet's patch
http://www.iae.nl/users/devet/squid/proxy_auth/
and my own 'authenticate' child written in Perl5 (thanks to Arjan for
the useful sample perl) which uses the standard radpwtst binary which
comes with radius. I have included this code below. It utilizes a
'round-robin' DNS entry for the name radius.<snip> and does fall-back.
I would not claim that this is bullet proof or efficient, but it works
for us and should do until Arjan releases his radius client support.
Note the fascist regex to check for valid usernames. If you use this,
you will need to customise this but beware: username '-' must not be
valid, and does exciting things with radpwtst if you let it through. You
should also double check your return codes from the radpwtst pipe.
Andrew.
#!/usr/local/bin/perl
# AES Feb 1998
use FileHandle;
# open(L, ">>/tmp/authenticate.log") || die "$!";
# L->autoflush(1);
STDOUT->autoflush(1);
$radpwtst = '/usr/local/radius/radpwtst';
$rad_serv = 'radius.<snip>';
$udp_port = 1649;
@addr_struct = gethostbyname($rad_serv);
scalar(@addr_struct) > 4 or die "Cannot find radius server $rad_serv in
DNS.";
splice @addr_struct, 0, 4;
@ip_nums = @addr_struct;
$num_ips = scalar(@ip_nums);
$ip_index = 0;
$ip = join '.', unpack('C4', $ip_nums[$ip_index]);
LINE: while (<STDIN>) {
# print L;
chop;
if ($_ !~ /^[a-z0-9]{1,8}\s+[^\s]{1,40}$/){
print "ERR\n";
# print L "ERR\n";
next LINE;
}
($user, $passwd) = split /\s+/, $_;
$count = 0;
do {
open(RAD, "| $radpwtst -p $udp_port -s $ip -r 4 $user >
/dev/null 2>&1")
or die "$!";
RAD->autoflush(1);
print RAD "$passwd\n" or die "$!";
close(RAD);
$return = ($? >> 8);
++$count;
if ($return != 0 and $return != 254) {
$ip_index = (++$ip_index) % $num_ips;
$ip = join '.', unpack('C4', $ip_nums[$ip_index]);
}
} until ($count > 4 or $return == 0 or $return == 254);
if ($return == 0){
print "OK\n";
# print L "OK\n";
} else {
print "ERR\n";
# print L "ERR\n";
}
}
exit(0);
Joe Smith wrote:
>
> On Tue, 9 Jun 1998, Henrik [iso-8859-1] Nordstr�m wrote:
>
> > > Is there anyway to do user Authentication other than the passwd file?
> >
> > You can use any passwd file you like. And if a passwd file is not what
> > you want then I think there is a patch for modular authentication that
> > allows most authentication schemes to be plugged in.
>
> I would like to point this thing (SQUID) at a Radius server if posible.
-- Dr. Andrew Smith Any OPINIONS expressed are Network Development mine and do not necessarily Prentice Centre reflect the views of the University of Queensland University of Qld. Australia, 4072. email: ccasmith@prentice.uq.edu.auReceived on Tue Jun 09 1998 - 21:02:57 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:41 MST