Mixed-mode authentication enviornment

Alan DeKok aland at ox.org
Thu Sep 8 22:42:08 CEST 2005 

Daniel Corbe <daniel.junkmail at gmail.com> wrote:
> I'm not sure I understand why my approach is so incorrect.  If I am
> wrong, please explain it to me.

  I would suggest reading the existing samples and documentation for
how to configure the server.  They explain the correct way to do
things.  The number of incorrect ways to do things is almost infinite.

> My understanding is we've AUTHORIZED the request by pulling the
> password information off of the LDAP server and storing it in memory.

  Yes.

> Then (according to my understanding of the radiusd.conf) in the
> authenticate {} block, we pick which modules in order will do the
> AUTHENTICATION part of the AAA session.  One of the two modules will
> always fail.

  If, and ONLY if, you list BOTH modules in an "Auth-Type {}" section
in "authenticate".

  The solution is DON'T DO THAT.

  List them separately, as shown in the default config.

  Again, I'm a little surprised that this is so hard to configure,
given that the default config shows how to do it.  It takes additional
effort to create a different configuration, which will then not work.

> We first try the digest module and get this:
>   Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 1
> ERROR: No Digest-Nonce: Cannot perform Digest authentication
>   modcall[authenticate]: module "digest" returns invalid for request 1
> 
> Then we move on to the next section of the Auth-Type LDAP
> configuration section of the authenticate {} block, and allow the LDAP
> module to take a crack at it and thus we have a sucessful
> authentication:

  Yes.  Your configuration seems to work, but it's inefficient and
unnecessary.  Rather that following the existing examples, you appear
to have randomly added hacks until it "works", with little
understanding of how the server is supposed to be configured.

  Please, use the default configuration where possible.  It works, and
it was designed by people who understand LDAP, digest, and the server.
Your hacks may appear to work, but they are based on misunderstandings
and confusion.  They WILL NOT be maintainable by you, or anyone else
going into the future.

  Alan DeKok.

More information about the Freeradius-Users mailing list