Authentication Process/Flowchart

Walt Reynolds waltr at umich.edu
Tue Mar 6 14:06:04 CET 2007 

Anyone want to comment before I add it to the wiki?  No use adding it if 
it is that far off.

Peter Nixon wrote:
> Hi Walt
> 
> If you were to put this in the wiki you may even have other people help you 
> edit it ;-)
> 
> Peter
> 
> On Fri 02 Mar 2007 22:37, Walt Reynolds wrote:
>> I have searched, but did not find what I was looking for, so trying to
>> do my own flowchart of the process.  Below is a written up flow that I
>> want to try and convert to a graphical one.  Can I please get some
>> feedback on if this is not only the way it really works, but also if it
>> is accurate.
>>
>> If someone has something like this I would be very grateful if you would
>> pass it along to me.  Just remember plagiarisms is the greatest form of
>> flattery (I would give you credit either way if you wanted)
>>
>> Thanks.
>>
>> ========================================
>> 1. Request comes in (example)
>> User-Name = "Guest2 at location.com"
>> User-Password = "Password"
>> NAS-IP-Address = 192.168.224.36
>> Service-Type = Login-User
>> Framed-IP-Address = 198.168.225.72
>> Called-Station-Id = "00:07:E9:D1:8F:C2"
>> Calling-Station-Id = "00:40:96:a7:00:14"
>> NAS-Identifier = "box.lab"
>> Acct-Session-Id = "00:07:E9:D1:8F:C2:117165661771"
>> NAS-Port-Type = Wireless-802.11
>>
>> 2. Looks in the authorize section of radius.conf
>> ## authorize actually means is this request authorized to authenticate
>> ##(does it match rules)
>> preprocess 	##This looks a the following files to add/coorelate
>> 		##the request to rules defined in later modules.
>> 			huntgroups
>> 				##Matches based on NAS
>> 			hints
>> 				##Matches on user
>> auth_log	##This defines where the log will be
>> suffix 		##Defined as deliminater for proxying realms
>> 			## Finds realm (if listed, if so will be used
>> 			##starting in preproxy_users
>> eap		##Set to define and perform EAP authentication (if in 				##request)
>> files		## Looks at the following files:
>> 			users
>> 				##Used to decide how to AuthZ and AuthN 					##users.  Check items,
>> if matched will
>> 				##add reply info to NAS
>> 				##if no specific match, will match 						##DEFAULT
>> 				##User could move to
>> 			acct_users
>> 				##Same as users file but for accounting.
>> !!!***!!!If there is no realm defined at this part, it will
>>
>> 			preproxy_users
>> 				##Matches like users, but reply items
>> 				##added to proxied request to new NAS
>> 			pre_proxy_log
>> 				##Allows you to log the pre-proxied
>> 				##request
>>
>> 3. Sent proxy request to radius server listed in proxy.conf if it did
>> find a realm match (based on suffix/px....
>> 4. Receives reply
>> 	a. Looks at post_proxy
>> 			post_proxy_log
>> 				##Logs post proxy info if enabled
>> 			attr_filter
>> 				##Allows you to filter what the proxied
>> 				##server sends back to NAS
>> 5. Sends Accept/Deny to NAS (with all attributes added or filtered)
>> 6. Accounting ----
> 

-- 
Walt Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438

More information about the Freeradius-Users mailing list