Mixed-mode authentication enviornment

Daniel Corbe daniel.junkmail at gmail.com
Thu Sep 8 01:27:51 CEST 2005


I'm manually setting Auth-Type to DIGEST on the LDAP Server.

This is all radiusd.conf has to say about digest:

#
        #  The 'digest' module currently has no configuration.
        #
        #  "Digest" authentication against a Cisco SIP server.
        #  See 'doc/rfc/draft-sterman-aaa-sip-00.txt' for details
        #  on performing digest authentication for Cisco SIP servers.
        #
        digest {
        }

and

      #
        #  If you have a Cisco SIP server authenticating against
        #  FreeRADIUS, uncomment the following line, and the 'digest'
        #  line in the 'authenticate' section.
        digest

Which does not help me much.  Both entries aren't commented.

-Daniel


On 9/7/05, Alan DeKok <aland at ox.org> wrote:
> Daniel Corbe <daniel.junkmail at gmail.com> wrote:
> > Since the SIP server requires DIGEST authentication, the Auth-Type
> > attribute is present and it is set to DIGEST which forces FreeRADIUS
> > to attempt a digest authentication.  Once this fails an Access-Reject
> > packet is sent back to the RADIUS client
> 
>   You don't say who's setting Auth-Type.  In the example config, the
> "digest" module sets it.  If you're setting it yourself, there's a
> high likelihood that something will go wrong.
> 
> > Is there a way to configure FreeRADIUS so it first attempts a DIGEST
> > authentication, and when that fails, we go ahead and attempt normal
> > authentication?
> 
>   No.  That doesn't make sense.
> 
>   There IS a way to configure the server to try digest authentication
> only when the RADIUS packet contains digest attributes.  Uncomment the
> lines referring to "digest" in radiusd.conf.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list