Reimer Karlsen-Masur, DFN-CERT wrote:
I appreciate the tables explaining the compatibility of authentication systems / protocols to password type compatibility from: .... But I am still confused about the relationship of these two tables to each other and how to use them.
Is the following considered correct?
1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple *password store*, only [table 1] if of interest.
Yes.
And freeradius is able to connect to the back end (if there is a rlm_<back-end-db> module available), authenticate itself with a special radius server account/user credential and to retrieve the password plus optionally some other attribute values if the radius server *itself* authenticates successfully with the back end DB. The radius server itself is then performing the user name/password check to accept or reject the authentication request of the user trying to connect.
Yes.
2. If I am using the back end DB (e.g. ldap etc.) as an *authentication oracle*, [table 2] tells me which authentication oracle system I can use (depending on the authentication protocol that the supplicant/client/user is using)
Yes.
and [table 1] tells me in which format the passwords need to be stored in the authentication oracle.
Yes. Except that PAP is compatible with all password formats. Also, ntlm_auth is used on Windows, which stores passwords in cleartext or NT-Hash format, and nothing else. So after reading the "oracle" page, there's no need to go back to the other page to see how to store the passwords.
And freeradius is able to connect to the back end (if there is a rlm_<back-end-db> module available), to authenticate *with the user provided* credentials (username/password) and to optionally retrieve some attribute values if the *user* authenticated successfully against the authN oracle.
No. Authentication has nothing to do with retrieving other information. When an authentication oracle is used, FreeRADIUS takes the username && password, and hands them to the oracle. The oracle returns yes/no, and nothing else.
ps: There is probably a small typo in the column heading of [table 1]: 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted SHA1 hash (SSHA1)'
Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog