Concatenation of authentication
Hello everyone, I'm explaining to you my case. I use FreeRadius like a Proxy Radius. On the other side, I have a Windows Radius server, a TMS server and a SQL server. I've made a configuration to use TMS server for authentication with token --> OK I've made a configuration to use SQL database for authentication --> OK My problem is : When a user loses his token, I want he cans authenticate himself with the SQL database. I have made both configurations and it works separately. However, the goal is : 1) I want to authenticate users with Windows Radius server and authentication with token 2) If authentication 1 failed, then user tries to connect on the SQL database automatically. I've tried with post-auth section, post-proxy section... Is it possible ? How can I do that. Thanks for your help. Regard, Jérôme
Jérôme MATER wrote:
I have made both configurations and it works separately. However, the goal is :
1) I want to authenticate users with Windows Radius server and authentication with token 2) If authentication 1 failed, then user tries to connect on the SQL database automatically.
That's not really how RADIUS works. If the user is rejected, you can't turn that into an accept.
I've tried with post-auth section, post-proxy section...
Is it possible ? How can I do that.
You can't. Instead, determine which users should use SQL, and which users should authenticate via the Windows RADIUS server. Then, make them do that. Alan DeKok.
Hi Alan, Thanks for your answer. There 4000 users! And the priority is the authentication with token. SQL database should be use only if a user loses his token. The solution would be to have 2 freeradius, one for token authentication and the other one for SQL database ? Regards, Jérôme Le 07/05/2014 13:14, Alan DeKok a écrit :
Jérôme MATER wrote:
I have made both configurations and it works separately. However, the goal is :
1) I want to authenticate users with Windows Radius server and authentication with token 2) If authentication 1 failed, then user tries to connect on the SQL database automatically. That's not really how RADIUS works. If the user is rejected, you can't turn that into an accept.
I've tried with post-auth section, post-proxy section...
Is it possible ? How can I do that. You can't.
Instead, determine which users should use SQL, and which users should authenticate via the Windows RADIUS server. Then, make them do that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Jérôme, How will you know if the user has lost his token? Presumably they would show up in the SQL database, yes? And when they are issued a new one, you remove them from the SQL database, correct? If that is the case, you should now think in reverse: 1. If the user shows up in the SQL database, don't bother with the token because the token is stolen/lost. 2. If the user does NOT show up in the SQL database, use standard authentication However, you *MUST* familiarise yourself with the following URL: http://deployingradius.com/documents/protocols/compatibility.html It maps which authentication methods can be used with which password storage mechanism. If your user is going to have to be able to authenticate against a SQL database or Active Directory for example, your SQL database has to store the NTLM hash of his/her password. The authorize section should allow you to check whether the user exists in the SQL table or not, and if they do, retrieve the password value (you will have to write the queries to do this though). You can use 'unlang' to do that. What Alan D is saying though is that there is no 'fallback' mechanism like some other authentication services have (like CAS, but that's another story). Stefan From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Jérôme MATER Sent: 07 May 2014 16:34 To: FreeRadius users mailing list Subject: Re: Concatenation of authentication Hi Alan, Thanks for your answer. There 4000 users! And the priority is the authentication with token. SQL database should be use only if a user loses his token. The solution would be to have 2 freeradius, one for token authentication and the other one for SQL database ? Regards, Jérôme Le 07/05/2014 13:14, Alan DeKok a écrit : Jérôme MATER wrote: I have made both configurations and it works separately. However, the goal is : 1) I want to authenticate users with Windows Radius server and authentication with token 2) If authentication 1 failed, then user tries to connect on the SQL database automatically. That's not really how RADIUS works. If the user is rejected, you can't turn that into an accept. I've tried with post-auth section, post-proxy section... Is it possible ? How can I do that. You can't. Instead, determine which users should use SQL, and which users should authenticate via the Windows RADIUS server. Then, make them do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Hi,
There 4000 users! And the priority is the authentication with token. SQL database should be use only if a user loses his token.
The solution would be to have 2 freeradius, one for token authentication and the other one for SQL database ?
there are fail-over hacks that you can do to achieve this - such things may work for you, they may not - we used such methods when we moved from one AD to another. alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Jérôme MATER -
Stefan Paetow