Re: Authentication Process/Flowchart

[Walt Reynolds <waltr@umich.edu>]

Anyone want to comment before I add it to the wiki?  No use adding it if 
it is that far off.

Peter Nixon wrote:
> Hi Walt
>
> If you were to put this in the wiki you may even have other people help you 
> edit it ;-)
>
> Peter
>
> On Fri 02 Mar 2007 22:37, Walt Reynolds wrote:
> > I have searched, but did not find what I was looking for, so trying to
> > do my own flowchart of the process.  Below is a written up flow that I
> > want to try and convert to a graphical one.  Can I please get some
> > feedback on if this is not only the way it really works, but also if it
> > is accurate.
> >
> > If someone has something like this I would be very grateful if you would
> > pass it along to me.  Just remember plagiarisms is the greatest form of
> > flattery (I would give you credit either way if you wanted)
> >
> > Thanks.
> >
> > ========================================
> > 1. Request comes in (example)
> > User-Name = "Guest2@location.com"
> > User-Password = "Password"
> > NAS-IP-Address = 192.168.224.36
> > Service-Type = Login-User
> > Framed-IP-Address = 198.168.225.72
> > Called-Station-Id = "00:07:E9:D1:8F:C2"
> > Calling-Station-Id = "00:40:96:a7:00:14"
> > NAS-Identifier = "box.lab"
> > Acct-Session-Id = "00:07:E9:D1:8F:C2:117165661771"
> > NAS-Port-Type = Wireless-802.11
> >
> > 2. Looks in the authorize section of radius.conf
> > ## authorize actually means is this request authorized to authenticate
> > ##(does it match rules)
> > preprocess 	##This looks a the following files to add/coorelate
> > 		##the request to rules defined in later modules.
> > 			huntgroups
> > 				##Matches based on NAS
> > 			hints
> > 				##Matches on user
> > auth_log	##This defines where the log will be
> > suffix 		##Defined as deliminater for proxying realms
> > 			## Finds realm (if listed, if so will be used
> > 			##starting in preproxy_users
> > eap		##Set to define and perform EAP authentication (if in 				##request)
> > files		## Looks at the following files:
> > 			users
> > 				##Used to decide how to AuthZ and AuthN 					##users.  Check items,
> > if matched will
> > 				##add reply info to NAS
> > 				##if no specific match, will match 						##DEFAULT
> > 				##User could move to
> > 			acct_users
> > 				##Same as users file but for accounting.
> > !!!***!!!If there is no realm defined at this part, it will
> >
> > 			preproxy_users
> > 				##Matches like users, but reply items
> > 				##added to proxied request to new NAS
> > 			pre_proxy_log
> > 				##Allows you to log the pre-proxied
> > 				##request
> >
> > 3. Sent proxy request to radius server listed in proxy.conf if it did
> > find a realm match (based on suffix/px....
> > 4. Receives reply
> > 	a. Looks at post_proxy
> > 			post_proxy_log
> > 				##Logs post proxy info if enabled
> > 			attr_filter
> > 				##Allows you to filter what the proxied
> > 				##server sends back to NAS
> > 5. Sends Accept/Deny to NAS (with all attributes added or filtered)
> > 6. Accounting ----

--
Walt Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438