Authentication Process/Flowchart

Peter Nixon listuser at peternixon.net
Sat Mar 3 07:04:19 CET 2007


Hi Walt

If you were to put this in the wiki you may even have other people help you 
edit it ;-)

Peter

On Fri 02 Mar 2007 22:37, Walt Reynolds wrote:
> I have searched, but did not find what I was looking for, so trying to
> do my own flowchart of the process.  Below is a written up flow that I
> want to try and convert to a graphical one.  Can I please get some
> feedback on if this is not only the way it really works, but also if it
> is accurate.
>
> If someone has something like this I would be very grateful if you would
> pass it along to me.  Just remember plagiarisms is the greatest form of
> flattery (I would give you credit either way if you wanted)
>
> Thanks.
>
> ========================================
> 1. Request comes in (example)
> User-Name = "Guest2 at location.com"
> User-Password = "Password"
> NAS-IP-Address = 192.168.224.36
> Service-Type = Login-User
> Framed-IP-Address = 198.168.225.72
> Called-Station-Id = "00:07:E9:D1:8F:C2"
> Calling-Station-Id = "00:40:96:a7:00:14"
> NAS-Identifier = "box.lab"
> Acct-Session-Id = "00:07:E9:D1:8F:C2:117165661771"
> NAS-Port-Type = Wireless-802.11
>
> 2. Looks in the authorize section of radius.conf
> ## authorize actually means is this request authorized to authenticate
> ##(does it match rules)
> preprocess 	##This looks a the following files to add/coorelate
> 		##the request to rules defined in later modules.
> 			huntgroups
> 				##Matches based on NAS
> 			hints
> 				##Matches on user
> auth_log	##This defines where the log will be
> suffix 		##Defined as deliminater for proxying realms
> 			## Finds realm (if listed, if so will be used
> 			##starting in preproxy_users
> eap		##Set to define and perform EAP authentication (if in 				##request)
> files		## Looks at the following files:
> 			users
> 				##Used to decide how to AuthZ and AuthN 					##users.  Check items,
> if matched will
> 				##add reply info to NAS
> 				##if no specific match, will match 						##DEFAULT
> 				##User could move to
> 			acct_users
> 				##Same as users file but for accounting.
> !!!***!!!If there is no realm defined at this part, it will
>
> 			preproxy_users
> 				##Matches like users, but reply items
> 				##added to proxied request to new NAS
> 			pre_proxy_log
> 				##Allows you to log the pre-proxied
> 				##request
>
> 3. Sent proxy request to radius server listed in proxy.conf if it did
> find a realm match (based on suffix/px....
> 4. Receives reply
> 	a. Looks at post_proxy
> 			post_proxy_log
> 				##Logs post proxy info if enabled
> 			attr_filter
> 				##Allows you to filter what the proxied
> 				##server sends back to NAS
> 5. Sends Accept/Deny to NAS (with all attributes added or filtered)
> 6. Accounting ----

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc



More information about the Freeradius-Users mailing list