Re: [Help-gnu-radius] Question about querying RADIUS

[Sergey Poznyakoff]

Quoting Henry Hsu <address@hidden>, who wrote:
> Question: Is there any way for me to send a query to the RADIUS server,
> essentially asking, "How many usernames are qualified to access my
> application?" That is, how many unique username/password pairs exist such
> that, if entered into my application and forwarded on to the RADIUS server,
> the username/password pair would result in a successful login to my
> application?

Unfortunately, RADIUS protocol does not supply a mechanism for such
queries. You will have to implement some kind of external program for
this. This should not be too dificult if you keep your users'
credentials in an SQL database. Such program could return the
number of username/password pairs in a reply attribute, for example
in Reply-Message attribute.

Lets suppose your external program resides in /usr/libexec/ and is
called count_users. In your raddb/users you install a pseudo-user for
querying this program. In a simplest case it will look like:

count_users  Auth-Type = ...
             Exec-Program-Wait = "/usr/libexec/count_users"

(ellipsis in Auth-Type field means any authentication type you
prefer to use for such queries). You might wish to restrict access to
it. In this case modify the LHS pairs (check-pairs) accordingly.

Now, /usr/libexec/count_users must count the number of
username/password pairs, print to the _standard output_
the reply A/V pairs and exit with 0 status.
The format for A/V pairs output is the same as in raddb/users file.
If its output looks like:

Reply-Message = "25 pairs"

then the querying application can be configured to get the value
of Reply-Message attribute and extract the number from it.

It seems to be the most direct approach, there may exist others,
though.

Good luck!

Sergey