Table of Contents Table of contents: Radiator® AAA Server <AuthBy REST> 3.67 - <AuthBy REST> <AuthBy KRB5> 3.69 - <AuthBy KRB5>

3.68. <AuthBy URL>

This clause authenticates using HTTP from any URL. It can use any given CGI or ASP, that validates user name and password. It requires the Digest::MD5 and HTTP::Request and LWP::UserAgent Perl modules in libwww-perl-5.63 or later. They are part of CPAN. For more information, see Section 2.1.2. CPAN. <AuthBy URL> supports both GET and POST Method for http query strings.
The user name and password being authenticated are passed as URL tags to the program (i.e. it does not use the web server's HTTP authentication). The CGI or ASP can then validate the user name and password and return a string that indicates whether the authentication succeeded or not. Passwords may be sent in the clear, or Unix crypt or MD5 encrypted. Example CGI scripts are available in the goodies directory of your Radiator distribution. See goodies/README.
This module was contributed by Mauro Crovato <mauro@crovato.com.ar>. See the example configuration file in goodies/url.cfg in your Radiator distribution.
AuthBy URL understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.32. <AuthBy xxxxxx>.
Tip
The libwww module that AuthBy URL uses can also support HTTPS requests. In order to enable this support, you must build and install either the Crypt::SSLeay or IO::Socket::SSL Perl modules before building the libwww module (see the README.SSL in the libwww distribution for more details). After that you can specify an HTTPS URL with something like: 
AuthUrl https://www.mysite.com/validate.cgi

3.68.1. AuthUrl

This optional parameter specifies the complete URL that will be used to authenticate the user name and password. It is usually set to the URL of a CGI or ASP program on a web server that you control. HTTPS is supported. For more information, see Section 3.68. <AuthBy URL>.
AuthUrl www.mysite.com/validate.cgi
or ....
AuthUrl https://www.mysite.com/validate.cgi

3.68.2. AcctUrl

This optional parameter specifies the complete URL that will be used to save accounting data from Accounting-Request packets. All the attributes in the request will be sent as HTTP tags, using either GET or POST, depending on the setting of UrlMethod.
AcctUrl http://www.mysite.com/cgi-bin/save-accounting.cgi

3.68.3. UrlMethod

This optional parameter specifies what type of submit method is going to be used to pass user and pass to the URL. Possible values are GET or POST. It is not sensitive to case. The default is GET.
UrlMethod POST

3.68.4. Debug

This optional flag parameter specifies if any incoming authentication that result in Auth-Accept, will be logged with the Radiator logging system. The default is to not log.
Debug 1

3.68.5. Timeout

This optional parameter specifies the timeout (in seconds) for the http connection to the web server. The default 5.
Timeout 3

3.68.6. UserParam

This optional parameter specifies the name of the URL tag variable used to pass the Username being authenticated, to the URL The default is user.
UserParam username

3.68.7. PasswordParam

This optional parameter specifies the name of the URL tag variable used to pass the Password being authenticated, to the URL The default is password.
PasswordParam key

3.68.8. AuthOKKeyword

This optional parameter specifies the name of the string that has to be found in the response from the web server, to select an Auth-Accept response message The default is AuthOK.
AuthOKKeyword "auth accept"

3.68.9. AuthChallengeKeyword

This optional parameter specifies the name of the string that has to be found in the response from the web server, to select an Auth-Challenge response message The default is ‘AuthChallenge’.

3.68.10. BadUserKeyword

This optional parameter specifies the name of the string that has to be found in the response from the web server, to select an Auth-Reject Bad User response message The default is BadUser.
BadUserKeyword "auth reject bad user"

3.68.11. BadPasswordKeyword

This optional parameter specifies the name of the string that has to be found in the response from the web server, to select an Auth-Reject Bad Password response message. The default is BadPassword.
BadPasswordKeyword "auth reject bad pass"

3.68.12. PasswordEncryption

This optional parameter specifies the type of encryption that is going to be used, to send the PAP password to the URL. The options available are Clear, Crypt and MD5 (case insensitive). The default is Clear.
PasswordEncryption Md5

3.68.13. ChapChallengeParam

For CHAP authentication, the name of the web parameter to use to send the CHAP challenge. Not used for PAP or other types of authentication. Defaults to chap_challenge.

3.68.14. ChapResponseParam

For CHAP authentication, the name of the web parameter to use to send the CHAP response. Not used for PAP or other types of authentication. Defaults to chap_response.

3.68.15. MSChapChallengeParam

For MSCHAP authentication, the name of the web parameter to use to send the MSCHAP challenge. Not used for PAP or other types of authentication. Defaults to mschap_challenge.

3.68.16. MSChapResponseParam

For MSCHAP authentication, the name of the web parameter to use to send the MSCHAP response. Not used for PAP or other types of authentication. Defaults to mschap_response.

3.68.17. MSChapV2ChallengeParam

For MSCHAPV2 authentication, the name of the web parameter to use to send the MSCHAPV2 challenge. Not used for PAP or other types of authentication. Defaults to mschapv2_challenge.

3.68.18. MSChapV2ResponseParam

For MSCHAPV2 authentication, the name of the web parameter to use to send the MSCHAPV2 response. Not used for PAP or other types of authentication. Defaults to mschapv2_response.

3.68.19. CopyRequestItem

Adds a tagged item to the HTTP request. Format is CopyRequestItem xxx yyy. The text of yyy (which may be contain special characters) will be added to the HTTP request with the tag xxx. In the special case where yyy is not defined, the value of attribute named xxx will be copied from the incoming RADIUS request and added to the HTTP request as the tagged item yyy. All values are HEX encoded before adding to the HTTP request. Multiple CopyRequestItem parameters are permitted, one per line.
CopyRequestItem NAS-Port
CopyRequestItem Calling-Station-Id %{OuterRequest:Calling-Station-
Id}

3.68.20. CopyReplyItem

Copies an attribute=value pair in a successful HTTP response to the RADIUS reply. Format is CopyReplyItem xxx yyy. If a successful HTTP reply contains a string like "xxx=hexencodedvalue" the value will be copied to the RADIUS reply as attribute yyy=value. Multiple CopyReplyItem parameters are permitted, one per line.
CopyReplyItem MS-CHAP2-Success
CopyReplyItem Reply-Message reply_tag
Table of Contents Table of contents: Radiator® AAA Server <AuthBy REST> 3.67 - <AuthBy REST> <AuthBy KRB5> 3.69 - <AuthBy KRB5>