Questions regarding authentication systems and protocols to password types compatibility

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Fri Apr 20 11:15:16 CEST 2007


Hi Alan,
hi list,

I appreciate the tables explaining the compatibility of authentication
systems / protocols to password type compatibility from:

[table 1] http://deployingradius.com/documents/protocols/compatibility.html

and

[table 2] http://deployingradius.com/documents/protocols/oracles.html

But I am still confused about the relationship of these two tables to each
other and how to use them.

Is the following considered correct?

1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple
*password store*, only [table 1] if of interest. And freeradius is able to
connect to the back end (if there is a rlm_<back-end-db> module available),
authenticate itself with a special radius server account/user credential and
to retrieve the password plus optionally some other attribute values if the
radius server *itself* authenticates successfully with the back end DB. The
radius server itself is then performing the user name/password check to
accept or reject the authentication request of the user trying to connect.

2. If I am using the back end DB (e.g. ldap etc.) as an *authentication
oracle*, [table 2] tells me which authentication oracle system I can use
(depending on the authentication protocol that the supplicant/client/user is
using) and [table 1] tells me in which format the passwords need to be
stored in the authentication oracle. And freeradius is able to connect to
the back end (if there is a rlm_<back-end-db> module available), to
authenticate *with the user provided* credentials (username/password) and to
optionally retrieve some attribute values if the *user* authenticated
successfully against the authN oracle.

Confirmation or further clarification is welcome.

Thanks

Reimer

ps: There is probably a small typo in the column heading of [table 1]:
'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted
SHA1 hash (SSHA1)'
-- 
Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070420/268c6f6d/attachment.bin>


More information about the Freeradius-Users mailing list