OR-type authentication

Phil Mayers p.mayers at imperial.ac.uk
Fri Aug 18 16:25:19 CEST 2006 

Héctor Alberto Ortiz Barrón wrote:
> My radiusd.conf file
> ...
> modules {
>        mschap certificate_userpass {
>        }
>        mschap winlogon {
>        }
>        $INCLUDE  ${confdir}/eap.conf
>        $INCLUDE  ${confdir}/sql.conf
> ...
> instantiate {
>        exec
>        certificate_userpass
>        winlogon
> }
> ...
> authorize {
>        redundant {
>                sql
>                winlogon
>                certificate_userpass
>        }
>        eap
> }
> ...
> authenticate {
>        Auth-Type MS-CHAP {
>                redundant {
>                                certificate_userpass
>                                winlogon
>                }
>        }
>        eap
> }
> ...
> Using this configuration, I am able to connect to the network using a 

That configuration looks seriously, seriously broken. Why have you 
defined >1 mschap module and called one "certificate_userpass" when the 
mschap module can only handle ms-chap? Why are you playing odd games 
with redundant copies of modules in odd places? Why are you putting 
modules in the instantiate section that don't need it?

> certificate on the client computer or providing a user name and password 
> which are checked against the mysql database, but I can't authenticate 
> against the AD. If I comment out the part regarding sql from the 

I'm not surprised.

> authorize section and do like this in the authenticate section (inverse 
> order):
> authenticate {
>        Auth-Type MS-CHAP {
>                redundant {
>                                winlogon
>                 certificate
>                }
>        }
>        eap
> }
> I can now authenticate against the AD and using certificates, but not 
> using the database.
> Question:
> What changes do I require in order to be able to grant access taking 
> into account the three methods?

Perhaps you could be more specific about what you're trying to do. You 
cannot authenticate a single user against two sources of info - how 
would that even work?

Are you saying that you have some users in SQL and some users in a 
domain controller, and want both to work?

I take it this is for 802.1x authentication?

You almost certainly want something a bit more like this:

modules {
   mschap {
     # we will override use of this on a per-user basis for users in SQL
     ntlm_auth = whatever
   }

$INCLUDE  ${confdir}/eap.conf
$INCLUDE  ${confdir}/sql.conf
}

authorize {
   preprocess
   sql
   mschap
   eap
}

authenticate {
   Auth-Type MS-CHAP {
     mschap
   }
   eap
}

...and for your users in SQL, have this:

  id | username |   attribute           | op |  value
----+----------+-----------------------+----+----------
   1 | foo      | User-Password         | := | bar
   2 | foo      | MS-CHAP-Use-NTLM-Auth | := | 0

More information about the Freeradius-Users mailing list