I have spent the past couple of days playing with the new radius feature of
the captive portal.
It certainly works well as described, but it took a while to get things sorted
with my radius setup.
The issue i discovered was with the passwords, that are sent using the PAP
protocol (User-Password attribute). This did not work for me initially, but
I tracked the issue down: I needed to set the PAP passwords as type CLEAR in
the FreeRADIUS config file.
Whilst this fixes the problem, it raises an issue. Most people (including me)
do not like storing passwords in clear on the Radus server (in my case in an
SQL database). FreeRADIUS offers a variety of storage mechanisms (such as
the classic UNIX crypt-style, MD5, etc). I would like to see an option to
specify that the passwords should be hashed with md5 or similar before
Likewise, many people like to use CHAP, so perhaps a CHAP option will be good
Another issue is with the return data from the radius server. The code
currently just looks in the return packet for the opcode of reply (2=success,
3=fail). I am currently playing around with an idea to have the server send
back a 'time' parameter that would establish the maximum time the user could
be connected without logging-in again. The would probably come in
Reply-Message attribute in the same packet as the YEA/NAY. This would then
be used to establish the timeout. The main use for this feature would be for
pay services in wireless hotspots, cafes, etc.
Anybody else interested in some or all of these features (I will have a crack
at a couple of them this weekend).
One unrelated question - where does the /usr/local/bin/verifysig code come
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.