How do I not set Auth-Type?

Alan DeKok aland at deployingradius.com
Fri Mar 16 09:40:25 CET 2007


John T. Guthrie wrote:
> As it turns out, I have a configuration that accomplishes all of this
> *perfectly*.

  If it works...

> I should stress, this accomplishes *exactly* what I want.  That said, it
> also involves explicit setting of Auth-Type.  I have seen in more than
> one place that this is a Bad Thing(TM).

  It's a bad thing because 90% or more of the times people set
Auth-Type, they get it wrong.  It's easiest to have a blanket statement
saying "Don't do that".

  And your configuration could be made simpler.  You seem to always set
Auth-Type = Kerberos, so that only needs to be set once, not for every
user.  Then, if you have a number of admins, the rules should be *role*
based, not *name* based.  i.e. use rlm_passwd to create an "admin"
group, and then do:

DEFAULT NAS-Port-Type == "Virtual", Local-Group != "admin", Auth-Type :=
Reject

>  My first question is how do I
> accomplish what the above configuration does without this explicit
> Auth-Type setting?

  You probably don't.

>  (Or is the above configuration marginally acceptable
> because it only sets Auth-Type when it isn't already set?)  Should I
> only be defining one authentication module that involves User-PAssword?

  Yes, and no.

> More generally, suppose that you have two different authentication
> modules, say unix and krb5, that use User-Password.  How does FreeRADIUS
> tell which users are supposed to use unix and which are supposed to use
> krb5?

  In the CVS head (which has been fixed), the "unix" module no longer
authenticates anyone.  Instead, it looks users up in /etc/passwd, and
adds "Crypt-Password" to the config items.  Then, rlm_pap authenticates
them.  This is *much* more flexible.

>  (Assuming that you want some to use one, and some to use the
> other.)  That is, how does RADIUS know what the "right thing" is in that
> case with being told explicitly?

  RADIUS doesn't know how to do the "right thing", FreeRADIUS does,
because we've put a lot of work into making it smart. :)

  In most cases, the choice of authentication protocols is simple:  Look
in the Access-Request packet... it's requesting a particular
authentication protocol.  So setting the authentication to any *other*
method means that authentication will fail.

  When finding the authentication *credentials* (i.e. password, etc.),
it's also usually pretty easy.  Look up the user in /etc/passwd, or
LDAP, or whatever.   If the user is found, take the credentials from
there, and associate them with the request.

  Then, you have an authentication protocol, and authentication
credentials, so knowing what to do for the act of authentication is simple.

  The confusion comes when people misconstrue back-ends for
authentication protocols.  i.e. doing EAP to an LDAP server.  It gets
more complicated when using something like Kerberos, which does not
supply authentication credentials.  Instead, Kerberos is an "oracle"

http://deployingradius.com/documents/protocols/oracles.html

  i.e. in a certain sense, you're proxying the authentication request to
the Kerberos server.  So it's a very different manner of setting
Auth-Type than forcing LDAP when the Access-Request contains EAP.

> P.S.  Before anyone says anything, I have read the documentation.  More
> than once.  It could very easily be that I have missed something totally
> obvious though.

  I'll try to clarify this in my book.

  In addition, if anyone can figure out a clear way to configure this in
the server, I'd like to know...

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list