802.1x ->Radius ->Ldap

John Dennis jdennis at redhat.com
Fri Jun 18 22:50:53 CEST 2010


On 06/18/2010 04:03 PM, Kyle Plimack wrote:
> So how do I get pap to do it?

If you're asking how to you get pap to do mschap then that's a 
nonsensical question.

Here is how things work:

The client sends you a radius auth request, you don't get to decide 
what's in it, the client does.

The radius server looks the request and says

"hmmm... lets see what do we have here? What can I do with this?"

The answer to that is what auth types you have enabled, what the server 
can lookup, and what's in the request.

The server will do something like this:

"Yo unix module, can you handle this one?"

"Hey pap module, can you handle this one?"

"Yo mschap module, can you handle this one?"

At some point hopefully one of the modules will say:

"No problem I got it"

The decision as to whether a module can handle the request is made by 
the module by looking at the data available to it.

So lets say the client sends a request with a password and you've got 
pap enabled. The pap module looks at the request and says

"hmmm ... do I have a password for this user"

if so then compare my copy of the password to what's in the request.

How does radius find a user's password? By consulting it's backend data 
store which can be the users file, a SQL database, or ldap.

So before the pap module runs ldap will run. ldap says

"hmm... Can I find passwords for this user?" If so I'll add them to the 
request as a check item so my dear friend the pap module can use them, 
you know that pap guy, he's always looking for passwords.

But WAIT! What if the client sends a MSCHAP request? What does the 
radius server say then?

"Well that's a fine kettle of fish! That client has really really tied 
my hands on this one" The only thing the server can do is run the mschap 
logic.

The mshap module looks the request to see if there is a check item with 
either a clear text password or nt-hash (why? look at the protocol 
table). If those haven't been added by one of the datastores the mschap 
module says:

"Sorry boss, no can do"

But now the server has run out of options, it's only choice was mschap 
because that's what the client sent it and the mscap module can't handle 
it. So the server replies:

"Loser! You ain't getting in here with those credentials" (Well really 
Auth-Reject)



-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



More information about the Freeradius-Users mailing list