Hi All

I have spent the past couple of days playing with the new radius feature of 
the captive portal.

It certainly works well as described, but it took a while to get things sorted 
with my radius setup.

The issue i discovered was with the passwords, that are sent using the PAP 
protocol (User-Password attribute).  This did not work for me initially, but 
I tracked the issue down: I needed to set the PAP passwords as type CLEAR in 
the FreeRADIUS config file.

Whilst this fixes the problem, it raises an issue.  Most people (including me) 
do not like storing passwords in clear on the  Radus server (in my case in an 
SQL database).  FreeRADIUS offers a variety of storage mechanisms (such as 
the classic UNIX crypt-style, MD5, etc).  I would like to see an option to 
specify that the passwords should be hashed with md5 or similar before 
transmission.

Likewise, many people like to use CHAP, so perhaps a CHAP option will be good 
as well.

Another issue is with the return data from the radius server.  The code 
currently just looks in the return packet for the opcode of reply (2=success, 
3=fail).  I am currently playing around with an idea to have the server send 
back a 'time' parameter that would establish the maximum time the user could 
be connected without logging-in again.  The would probably come in 
Reply-Message attribute in the same packet as the YEA/NAY.  This would then 
be used to establish the timeout.  The main use for this feature would be for 
pay services in wireless hotspots, cafes, etc.

Anybody else interested in some or all of these features (I will have a crack 
at a couple of them this weekend).

One unrelated question - where does the /usr/local/bin/verifysig code come 
from?

Best regards

Peter


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.