Using freeradius integrated with Active Directory toautenticatecisco passwords
Jeffrey Hutzelman
jhutz at cmu.edu
Sat Feb 9 18:48:37 CET 2008
--On Saturday, February 09, 2008 12:18:54 PM +0000 Phil Mayers
<p.mayers at imperial.ac.uk> wrote:
>> Note that this violates the general advice of never setting Auth-Type,
>> explicitly; this is necessary because rlm_krb5 does not provide any
>> authorize handling and will not set Auth-Type automatically like many
>> other modules do.
>
> s/will not/cannot/?
>
> How eould rlm_krb5 run in authorize {} and know that the user is a valid
> kerberos user without getting a ticket?
It can't, really. But what it could do is what rlm_pap does, which is to
assume that if there's a password in the request and Auth-Type isn't set
yet, you must want to use this module (actually, rlm_pap also requires
there be a password or hash in the users database, but of course Kerberos
doesn't need that and as you point out, there's no easy way to check the
KDB). With such a check, krb5 could be listed after pap in the default
authorize configuration, and would pick up any PAP requests for which the
users database does not contain password.
> At the moment, the "best" (least worst) option is to use something like
> this:
>
> authorize {
> preprocess
> eap
> mschap
> files
> }
> authenticate {
> Auth-Type MSCHAP {
> mschap
> }
> Auth-Type KRB5 {
> krb5
> }
> }
>
> ..and in the files have this:
>
> DEFAULT Auth-Type = KRB5
Yes, I suppose with configuration like that you could avoid the code I
describe above. I do think there's some benefit to handling this in the
module's authorize handler, if only so we can avoid telling people to set
Auth-Type in the users database.
> Another alternative would be to redesign such that the various PAP
> "oracles" (krb5, pam) are sub-modules of the pap module, perhaps run in a
> defined order:
Perhaps, though I'd avoid putting too much complexity in the rlm_pap
configuration. People who actually need something complicated can always
use rlm_pam and take advantage of PAM's configuration engine (though that
does limit you to platforms which have PAM libraries).
What I'd really like to see is an easy way for the users database to
specify which submodule gets to handle PAP requests. I suppose that can be
accomplished as in your example, by listing files last in the authorize
section and set-if-unset Auth-Type in each user entry.
-- Jeff
More information about the Freeradius-Users
mailing list