How do I not set Auth-Type?

John T. Guthrie guthrie at counterexample.org
Sat Mar 17 05:20:37 CET 2007 

On Fri, 2007-03-16 at 09:40 +0100, Alan DeKok wrote:
> John T. Guthrie wrote:
> > As it turns out, I have a configuration that accomplishes all of this
> > *perfectly*.
> 
>   If it works...

Well, it's been doing what I want it to do for about 7+ months, so I'd
say that qualifies as working. ;-)  Now granted, its expansion
capabilities could very easily limited...

> > I should stress, this accomplishes *exactly* what I want.  That said, it
> > also involves explicit setting of Auth-Type.  I have seen in more than
> > one place that this is a Bad Thing(TM).
> 
>   It's a bad thing because 90% or more of the times people set
> Auth-Type, they get it wrong.  It's easiest to have a blanket statement
> saying "Don't do that".
> 
>   And your configuration could be made simpler.  You seem to always set

I agree with this completely.

> Auth-Type = Kerberos, so that only needs to be set once, not for every
> user.  Then, if you have a number of admins, the rules should be *role*
> based, not *name* based.  i.e. use rlm_passwd to create an "admin"
> group, and then do:
>
> DEFAULT NAS-Port-Type == "Virtual", Local-Group != "admin", Auth-Type :=
> Reject

Thank you very much!  This will go a long ways toward helping me clean
up my config.

> >  My first question is how do I
> > accomplish what the above configuration does without this explicit
> > Auth-Type setting?
> 
>   You probably don't.
>
> >  (Or is the above configuration marginally acceptable
> > because it only sets Auth-Type when it isn't already set?)  Should I
> > only be defining one authentication module that involves User-PAssword?
> 
>   Yes, and no.
> 
> > More generally, suppose that you have two different authentication
> > modules, say unix and krb5, that use User-Password.  How does FreeRADIUS
> > tell which users are supposed to use unix and which are supposed to use
> > krb5?
> 
>   In the CVS head (which has been fixed), the "unix" module no longer
> authenticates anyone.  Instead, it looks users up in /etc/passwd, and
> adds "Crypt-Password" to the config items.  Then, rlm_pap authenticates
> them.  This is *much* more flexible.
> 
> >  (Assuming that you want some to use one, and some to use the
> > other.)  That is, how does RADIUS know what the "right thing" is in that
> > case with being told explicitly?
> 
>   RADIUS doesn't know how to do the "right thing", FreeRADIUS does,
> because we've put a lot of work into making it smart. :)

Fair enough. ;-)

>   In most cases, the choice of authentication protocols is simple:  Look
> in the Access-Request packet... it's requesting a particular
> authentication protocol.  So setting the authentication to any *other*
> method means that authentication will fail.
> 
>   When finding the authentication *credentials* (i.e. password, etc.),
> it's also usually pretty easy.  Look up the user in /etc/passwd, or
> LDAP, or whatever.   If the user is found, take the credentials from
> there, and associate them with the request.
> 
>   Then, you have an authentication protocol, and authentication
> credentials, so knowing what to do for the act of authentication is simple.
> 
>   The confusion comes when people misconstrue back-ends for
> authentication protocols.  i.e. doing EAP to an LDAP server.  It gets
> more complicated when using something like Kerberos, which does not
> supply authentication credentials.  Instead, Kerberos is an "oracle"
> 
> http://deployingradius.com/documents/protocols/oracles.html
> 
>   i.e. in a certain sense, you're proxying the authentication request to
> the Kerberos server.  So it's a very different manner of setting
> Auth-Type than forcing LDAP when the Access-Request contains EAP.
> 
> > P.S.  Before anyone says anything, I have read the documentation.  More
> > than once.  It could very easily be that I have missed something totally
> > obvious though.
> 
>   I'll try to clarify this in my book.

So are you saying that FreeRADIUS sometimes needs some assistance when
dealing with authentication oracles?  That is, it needs to be told when
to use them?  Moreover, is the problem in this case how to tell
FreeRADIUS about that without setting an explicit Auth-Type?  From what
you said above, it seems that is not likely.

This would seem to agree with what I've found in experimentation, namely
take the configuration in the users file:

"user1"

If I try to use the command (assuming the password for user1 is
"pass_for_user1"):

radtest user1 pass_for_user1 radius_server 17 radius_secret

Then radiusd -X complains:

auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [user1] (from client net_tester port 17)

(I have similar issues with the access point.  Namely, it does not set
Auth-Type.)  However, it works if I use something like:

"user1"    Auth-Type = Kerberos

(Note that I did not use Auth-Type := Kerberos.)

>   In addition, if anyone can figure out a clear way to configure this in
> the server, I'd like to know...

I would love to help out with this if at all possible.

Thanks again for all of your help.

-- 
John Guthrie
guthrie at counterexample.org

More information about the Freeradius-Users mailing list