Help mixing proxied and non-proxied auth mechanisms

Geoff Silver geoff+freeradius at uslinux.net
Tue Mar 14 20:59:28 CET 2006 

Alan DeKok wrote:
>   Please read the docs & man page for rlm_passwd.  It does *not* read
> /etc/passwd.

I read the doc/rlm_passwd doc, but I'll go over it again and take a look at
the code as well.  Being called rlm_passwd, I may have assumed it used
/etc/passwd before I even started reading it, thus tainting what I read.

>   I suggest writing down the specific situations involved.  Include
> inputs and outputs.  That will help drive the design.

So here is the specific requirement.

* I need FreeRadius to listen on two different udp ports for auth requests.
This is because we presently allow both password authentication with users
file authorization *and* users file authorization only modes.  The latter is
used to support certificate-based authenticate via our Cisco 3000-series
concentrators (the Cisco authenticates you against your certificate and
radiusd decides whether you're actually authorized to use that NAS).

* The port can't be shared because in the authorization-only method, the
password that gets sent is your username, and because no VSAs or other
identifying attributes get sent with that type of request.  Therefore, if I
shared the port, anyone could authenticate as user "bob" with password "bob".

* In our case, I am using port 1645 for authentication + authorization and
port 1812 for authorization only.

* I need FreeRadius to proxy the authentication requests it receives on the
authentication + authorization port, and do local users file authorization,
and return any Connect-Info, Filter, Class, etc strings related to that
user/nas pair back to the originating NAS.

* The authorization-only requests just need to see if the user is in the users
file for that NAS/Huntgroup, and return any related attributes (eg.
Connect-Info, filter, Class, etc) to the originating NAS.

* All users can use both auth methods (ie. nobody can do only certificate
authentication but not have a corresponding password).

* Users may have access for multiple NASes.

* Not all users have access for all (or the same) NASes.

* I "need" to have only one entry in the users file for each user.  I already
have this working with two entries, but it feels inefficient and just isn't
pretty.

I *think* this covers it appropriately.

More information about the Freeradius-Users mailing list