Authentication Process/Flowchart

Walt Reynolds waltr at umich.edu
Fri Mar 2 21:37:54 CET 2007 

I have searched, but did not find what I was looking for, so trying to 
do my own flowchart of the process.  Below is a written up flow that I 
want to try and convert to a graphical one.  Can I please get some 
feedback on if this is not only the way it really works, but also if it 
is accurate.

If someone has something like this I would be very grateful if you would 
pass it along to me.  Just remember plagiarisms is the greatest form of 
flattery (I would give you credit either way if you wanted)

Thanks.

========================================
1. Request comes in (example)
User-Name = "Guest2 at location.com"
User-Password = "Password"
NAS-IP-Address = 192.168.224.36
Service-Type = Login-User
Framed-IP-Address = 198.168.225.72
Called-Station-Id = "00:07:E9:D1:8F:C2"
Calling-Station-Id = "00:40:96:a7:00:14"
NAS-Identifier = "box.lab"
Acct-Session-Id = "00:07:E9:D1:8F:C2:117165661771"
NAS-Port-Type = Wireless-802.11

2. Looks in the authorize section of radius.conf
## authorize actually means is this request authorized to authenticate 
##(does it match rules)
preprocess 	##This looks a the following files to add/coorelate
		##the request to rules defined in later modules.
			huntgroups
				##Matches based on NAS
			hints
				##Matches on user
auth_log	##This defines where the log will be
suffix 		##Defined as deliminater for proxying realms
			## Finds realm (if listed, if so will be used
			##starting in preproxy_users
eap		##Set to define and perform EAP authentication (if in 				##request)
files		## Looks at the following files:
			users
				##Used to decide how to AuthZ and AuthN 					##users.  Check items, 
if matched will
				##add reply info to NAS
				##if no specific match, will match 						##DEFAULT
				##User could move to
			acct_users
				##Same as users file but for accounting.
!!!***!!!If there is no realm defined at this part, it will
			
			preproxy_users
				##Matches like users, but reply items
				##added to proxied request to new NAS
			pre_proxy_log
				##Allows you to log the pre-proxied
				##request
			
3. Sent proxy request to radius server listed in proxy.conf if it did 
find a realm match (based on suffix/px....
4. Receives reply
	a. Looks at post_proxy
			post_proxy_log
				##Logs post proxy info if enabled
			attr_filter
				##Allows you to filter what the proxied
				##server sends back to NAS
5. Sends Accept/Deny to NAS (with all attributes added or filtered)
6. Accounting ----

-- 
Walt Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438

More information about the Freeradius-Users mailing list