Using multiple auth methods, ports

Geoff Silver geoff+freeradius at
Sat Feb 18 17:17:52 CET 2006

I've got (what I believe is) an interesting engineering problem to 
solve. I'm
going to oversimplify our problem a bit, so for simplicity sake, we use
"Auth-Type := Local" right now with a username and password. We're deploying
a new certificate-based method now, and I want to figure out the best way to
intergrate the two methods.

The problem is that the NAS (Cisco 3000) does the certificate 
but then queries radiusd server for *authorization* only. Essentially with
doing certificate-based authentication, the NAS sends:

User-Name = "geoff"
User-Password = "geoff"
NAS-Port = 1016
Service-Type = Framed-User
Framed-Protocol = PPP
Called-Station-Id = ""
Calling-Station-Id = ""
Tunnel-Client-Endpoint:0 = ""
NAS-IP-Address =
NAS-Port-Type = Virtual

whereas when it's doing regular authentication, it sends the same thing as
above, except User-Password = "mysecretpassword".  There are no 
options in the NAS to either restrict the NAS-Port that gets used (ie. cert
auth would use ports 1-1000 and regular auth would use 1001-2000), nor is
there a way to *apply* a realm to a request (only to strip the realm from
the request, which doesn't help me).  The only thing the NAS can do that is
"helpful" is send cert auth requests to a different UDP port than regular
auth requests.

To do the first method, I can use 'Auth-Type := Local' and just set the
User-Password attribute to the User-Name, or I can use 'Auth-Type := 
Either works just fine, since the NAS is only requesting authorization
(ie. is this user in the users file for our NAS). However, because the
password it sends is the username, I can't just put two entries in the users
file, since anyone doing the "old-style" username/password auth could just
enter their username as their password and get access (or more 
joe hacker could user someone's username as that user's password to get
unauthorized access).

The same NAS is used for both certificate and password auth, so I can't
restrict access via the NAS. Also, the same attributes are sent for regular
authentication, so I can't differentiate. As mentioned above, I *can* 
force the NAS
to use a different UDP port based on the auth method (ie. certificate 
auth goes to
port 1812 while old-stlye auth goes to port 1645), but I can't tell if 
there's a
way to get radiusd to listen on multiple UDP ports, or if there's a way to
determine which UDP port was used in the connection when doing auth (I 
a Packet-Src-Port attribute in the freeradius.internal dictionary, but I 
tell if there's a way I can use that in the users file).

I'm hoping someone might have some insight into the above paragraph. "You'll
need to add that" is reasonable insight, so long as that's my only answer -
I'm just hoping I can avoid doing that.


More information about the Freeradius-Users mailing list