Ticket #23 (closed Enhancement: Will not be fixed)

Opened 12 months ago

Last modified 2 months ago

radius authentication

Reported by: jh Owned by: mircea
Priority: Major Milestone:
Component: Authentication Version: Release 1.0
Severity: Critical Keywords:
Cc:

Description

For those who use Radius authentication of users in OpenSER, it would be critical to Radius authentication backend also for OpenXCAP.

By looking at the code, Radius authentication does not seem that difficult to add using pyrad. What confuses me is the organization of backend classes. Now database.py deals with both authentication and storage, whereas openser.py only deals with storage.

I'm not any expert on this, but should there be separate openser_storage.py and database_storage.py as well as database_authentication.py and radius_authentication.py or what?

-- Juha

Change History

Changed 12 months ago by jh

i did a radius authentication experiment using pyrad and got authentication working using the simple program below. thus in radius config, the following items seem to suffice:

class Config(ConfigSection):

radius_server = '127.0.0.1' secret = 'secret' dictionary = 'dictionary' service_type = null

if service_type is null, no Service-Type attribute will be added. User-Name and User-Password would get their values like in db authentication.

-- juha

import pyrad.packet from pyrad.client import Client from pyrad.dictionary import Dictionary

srv=Client(server="127.0.0.1", secret="secret",

dict=Dictionary("dictionary"))

req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,

User_Name="foo@test.fi")

reqUser-Password?=req.PwCrypt("top_secret") reqService-Type?="Login-User"

reply=srv.SendPacket(req) if reply.code==pyrad.packet.AccessAccept:

print "access accepted"

else:

print "access denied"

print "Attributes returned by server:" for i in reply.keys():

print "%s: %s" % (i, reply[i])

Changed 11 months ago by admin

  • owner changed from Mircea Amarascu to admin
  • status changed from new to accepted

Hello Juha,

We'll try to integrate Radius authentication as soon as possible. Both openser.py and database.py deal with authentication, but openser.py just subclasses the authentication classes from database.py, so indeed we'll probably need some restructuring or refactoring of the code to support other authentication methods such as Radius or LDAP.

Changed 11 months ago by jh

Mircea,

i quick hack would be to write _query_radius function similar to _query_credentials that instead of db query would make radius query as in above and if query succeeds, would call _got_query_results with rows argument that would be the same as the credentials password, and if query fails, would call _got_query_results with null rows argument. that way the rest of the code could be left untouched.

but as you say, may be better to do some restructuring so that it is easy to copy with new auth methods later.

-- Juha

Changed 11 months ago by mircea

  • owner changed from admin to mircea
  • status changed from accepted to assigned

Changed 11 months ago by mircea

  • status changed from assigned to accepted

Changed 2 months ago by admin

  • status changed from accepted to closed
  • resolution changed from To be investigated to Will not be fixed

Version 1.0 will be launched soon but it still does not have radius back-end as we had no resources to implement this feature.

Note: See TracTickets for help on using tickets.