Questions regarding authentication systems and protocols to password types compatibility

Alan DeKok aland at deployingradius.com
Fri Apr 20 12:03:50 CEST 2007 

Reimer Karlsen-Masur, DFN-CERT wrote:
> I appreciate the tables explaining the compatibility of authentication
> systems / protocols to password type compatibility from:
....
> But I am still confused about the relationship of these two tables to each
> other and how to use them.
> 
> Is the following considered correct?
> 
> 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple
> *password store*, only [table 1] if of interest.

  Yes.

> And freeradius is able to
> connect to the back end (if there is a rlm_<back-end-db> module available),
> authenticate itself with a special radius server account/user credential and
> to retrieve the password plus optionally some other attribute values if the
> radius server *itself* authenticates successfully with the back end DB. The
> radius server itself is then performing the user name/password check to
> accept or reject the authentication request of the user trying to connect.

  Yes.

> 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication
> oracle*, [table 2] tells me which authentication oracle system I can use
> (depending on the authentication protocol that the supplicant/client/user is
> using)

  Yes.

> and [table 1] tells me in which format the passwords need to be
> stored in the authentication oracle.

  Yes.  Except that PAP is compatible with all password formats.  Also,
ntlm_auth is used on Windows, which stores passwords in cleartext or
NT-Hash format, and nothing else.

  So after reading the "oracle" page, there's no need to go back to the
other page to see how to store the passwords.

> And freeradius is able to connect to
> the back end (if there is a rlm_<back-end-db> module available), to
> authenticate *with the user provided* credentials (username/password) and to
> optionally retrieve some attribute values if the *user* authenticated
> successfully against the authN oracle.

  No.  Authentication has nothing to do with retrieving other
information.  When an authentication oracle is used, FreeRADIUS takes
the username && password, and hands them to the oracle.  The oracle
returns yes/no, and nothing else.

> ps: There is probably a small typo in the column heading of [table 1]:
> 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted
> SHA1 hash (SSHA1)'

  Fixed, thanks.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list