sql - Replacing User-Password in config items with Cleartext-Password

Phil Mayers p.mayers at imperial.ac.uk
Thu Feb 1 01:58:14 CET 2007 

TZieleniewski wrote:

> the authorize section is the section which defines procedures 
> responsible for granting a user an access to specific type of service.
> For instance if we use sql or files module in authorize section we can 
> intuitivly imagine that they do some checks about user data.
> For instance checks if data are present in the users file or in the data 
> base.

yes

> And then in the authentication section they are for innstance 
> authenticate with the pap module wich makes the verification between the 
> data
> received from access packet and those taken from the users file or data 
> base.

yes

> but there is another situation a little bit confusing when we for 
> instance call the chap, mschap or ldap modules in the authorize section 
> and then



> in the authenticate section. Does it work this way that somehow those 
> modules know that they are invoked in different phases(authorize, 
> authenticate)

Yes. Taking e.g. "mschap" as an example - during the "authorize" phase, 
the module looks at the request and does this:

  * IF the ms-chap-challenge and ms-chap-response attributes exist
  * THEN set Auth-Type = MS-CHAP

During the "authenticate" phase it says:

  * Get ms-chap-challenge
  * Get User-Password from "config" items
  * Compute correct response
  * If corrct == ms-chap-response: ...


> and perform different operations according to the needs??  Or for 
> instance the digest module what those the authorize section really do??
> Does it take any data from the users file ?? Or it just check the data 
> format and stuff??
> for instance
> 
> authorise {
>         preprocess
>         chap
>         mschap
> }
> 
> authenticate {
>         authtype PAP {
>                pap
>         }
>         authtype CHAP {
>                chap
>         }
>         authtype MS-CHAP{
>                mschap
>         }
> }
> 
> I can really get the filling of those authtype declarations in the authenticate section
> Im sure that few words of explanation will make me to understand everything.

Basically, the *algorithm* modules just check to see if they're 
applicable to a request during authorize. If they are applicable they 
arrange to run themselves again during authenticate, *after* data for 
authentication has been added to the request.

Hope that helps

More information about the Freeradius-Users mailing list