Questions regarding authentication systems and protocols to password types compatibility
Hi Alan, hi list, I appreciate the tables explaining the compatibility of authentication systems / protocols to password type compatibility from: [table 1] http://deployingradius.com/documents/protocols/compatibility.html and [table 2] http://deployingradius.com/documents/protocols/oracles.html But I am still confused about the relationship of these two tables to each other and how to use them. Is the following considered correct? 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple *password store*, only [table 1] if of interest. And freeradius is able to connect to the back end (if there is a rlm_<back-end-db> module available), authenticate itself with a special radius server account/user credential and to retrieve the password plus optionally some other attribute values if the radius server *itself* authenticates successfully with the back end DB. The radius server itself is then performing the user name/password check to accept or reject the authentication request of the user trying to connect. 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication oracle*, [table 2] tells me which authentication oracle system I can use (depending on the authentication protocol that the supplicant/client/user is using) and [table 1] tells me in which format the passwords need to be stored in the authentication oracle. And freeradius is able to connect to the back end (if there is a rlm_<back-end-db> module available), to authenticate *with the user provided* credentials (username/password) and to optionally retrieve some attribute values if the *user* authenticated successfully against the authN oracle. Confirmation or further clarification is welcome. Thanks Reimer ps: There is probably a small typo in the column heading of [table 1]: 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted SHA1 hash (SSHA1)' -- Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Reimer Karlsen-Masur, DFN-CERT wrote:
I appreciate the tables explaining the compatibility of authentication systems / protocols to password type compatibility from: .... But I am still confused about the relationship of these two tables to each other and how to use them.
Is the following considered correct?
1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple *password store*, only [table 1] if of interest.
Yes.
And freeradius is able to connect to the back end (if there is a rlm_<back-end-db> module available), authenticate itself with a special radius server account/user credential and to retrieve the password plus optionally some other attribute values if the radius server *itself* authenticates successfully with the back end DB. The radius server itself is then performing the user name/password check to accept or reject the authentication request of the user trying to connect.
Yes.
2. If I am using the back end DB (e.g. ldap etc.) as an *authentication oracle*, [table 2] tells me which authentication oracle system I can use (depending on the authentication protocol that the supplicant/client/user is using)
Yes.
and [table 1] tells me in which format the passwords need to be stored in the authentication oracle.
Yes. Except that PAP is compatible with all password formats. Also, ntlm_auth is used on Windows, which stores passwords in cleartext or NT-Hash format, and nothing else. So after reading the "oracle" page, there's no need to go back to the other page to see how to store the passwords.
And freeradius is able to connect to the back end (if there is a rlm_<back-end-db> module available), to authenticate *with the user provided* credentials (username/password) and to optionally retrieve some attribute values if the *user* authenticated successfully against the authN oracle.
No. Authentication has nothing to do with retrieving other information. When an authentication oracle is used, FreeRADIUS takes the username && password, and hands them to the oracle. The oracle returns yes/no, and nothing else.
ps: There is probably a small typo in the column heading of [table 1]: 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted SHA1 hash (SSHA1)'
Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks Alan! Your answer is raising some more questions though: Alan DeKok wrote:
Reimer Karlsen-Masur, DFN-CERT wrote:
I appreciate the tables explaining the compatibility of authentication systems / protocols to password type compatibility from: .... But I am still confused about the relationship of these two tables to each other and how to use them.
Is the following considered correct?
1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple *password store*, only [table 1] if of interest.
Yes.
Which freeradius modules can be used for the *simple password store*? files (the users file) unix pam ldap sql (?) Could you please complete this list? Are these entries ending up in the authenticate or authorize or both sections of the freeradius config? ...
2. If I am using the back end DB (e.g. ldap etc.) as an *authentication oracle*, [table 2] tells me which authentication oracle system I can use (depending on the authentication protocol that the supplicant/client/user is using)
Yes.
and [table 1] tells me in which format the passwords need to be stored in the authentication oracle.
Yes. Except that PAP is compatible with all password formats. Also, ntlm_auth is used on Windows, which stores passwords in cleartext or NT-Hash format, and nothing else.
So after reading the "oracle" page, there's no need to go back to the other page to see how to store the passwords.
And freeradius is able to connect to the back end (if there is a rlm_<back-end-db> module available), to authenticate *with the user provided* credentials (username/password) and to optionally retrieve some attribute values if the *user* authenticated successfully against the authN oracle.
No. Authentication has nothing to do with retrieving other information. When an authentication oracle is used, FreeRADIUS takes the username && password, and hands them to the oracle. The oracle returns yes/no, and nothing else.
How do I differ within the ldap module configuration if I do an ldap authentication via the *oracle* or if I *retrieve* (additional) attributes for a user like e.g. his password? Is the difference that the 'ldap' entry shows up in the 'authenticate' section for attribute retrieval use (plain password store) which I have configured here and believe to be working and in the 'authorize' section for oracle use? Thanks again for more insight on this! -- Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Reimer Karlsen-Masur, DFN-CERT wrote:
Which freeradius modules can be used for the *simple password store*? files (the users file) unix pam ldap sql (?)
Not PAM.
Could you please complete this list? Are these entries ending up in the authenticate or authorize or both sections of the freeradius config?
Databases don't do authentication. They do not get listed in the "authenticate" section. As for completing the list, it really depends. You can configure many modules to add a clear-text password for the user. Please read radiusd.conf, and the documentation for examples. I'm not going to re-type all that here.
How do I differ within the ldap module configuration if I do an ldap authentication via the *oracle* or if I *retrieve* (additional) attributes for a user like e.g. his password?
See the documentation for the LDAP module.
Is the difference that the 'ldap' entry shows up in the 'authenticate' section for attribute retrieval use (plain password store) which I have configured here and believe to be working and in the 'authorize' section for oracle use?
You have that completely backwards. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Reimer Karlsen-Masur, DFN-CERT