Would it be possible to get this put in with the documentation? Aaron
-----Original Message----- From: 3APA3A [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 12:21 PM To: [EMAIL PROTECTED] Subject: Understanding FreeRADIUS authorization, authentication and attribute lists. Dear [EMAIL PROTECTED], There is a lot of questions about misconfigured FreeRADIUS servers because of misunderstanding of FreeRADIUS operations. I'll try to explain a bit. Normally there are 2 steps in processing authentication request coming from NAS in FreeRADIUS (plus additional steps to proxy request if we use FreeRADIUS as a proxy): authorization and authentication. Authorization is a process of obtaining information about user from external source (file, database or LDAP), and check that information in request is enough to authenticate user. Authentication is simply a process of comparing user's credentials in request with credentials stored in database. Authorization module deals with datasource, so ldap, sql, files, passwd are authorization modules. Authentication deals with password encryption. PAP, CHAP, MS-CHAP are authentication modules. Few modules act as both authorization and authentication. For example ms-chap module is normally authentication one, but it may be used during authorization to assume that request contains ms-chap related attribute and only in this case perform ms-chap based authentication. LDAP is normally authorization module, but it may be used for authentication (In this case FreeRADIUS will authenticate user in case he can connect to LDAP server with his account). During authorization and authentication processes there are 3 lists of RADIUS attributes supported by FreeRADIUS: request items, config items and reply items. Attributes from RADIUS authentication request packet are included into request items list. Both authorization and authentication modules can add attributes into reply items list. These attributes will be added to reply will be sent by RADIUS server to NAS. There is third list, called config items. It's used for internal FreeRADIUS operations, for example to pass some data from authorization to authentication module. Before authorization begins FreeRADIUS creates request items list with attributes from request and empty config and reply lists. Authorization module searches a database with User-Name taken from request list as a key and fetches all records. From database module it retrieves 3 types of attributes: check attributes, cofigure attributes and reply attributes. It compares check attributes with attributes from request items. If none of database record for this User-Name matches in check attributes with request items authorization will fail. If matching record found configure attributes will be added to configure items, reply attributes will be added to reply items list. Check list may be required if we need to authenticate users with same name for different services (for example to treat User1 from NAS1 and User1 from NAS2 as different users). There should be at list one configure attribute provided be authorization module, called Auth-Type (since this attribute is from config items list it can't be in request or reply). This attribute points which module will be used to authenticate user. Config items also contains information from database required to authenticate user, for example valid user's password or it's hash, login restrictions, etc. Quite common mistake is placing attributes in wrong lists, for example placing Auth-Type, Password, NT-Password etc in check list. If you place Password into check list and user does cleartext authentication it may work, because authorization module compares 2 cleartext passwords... But if user does some encrypted authentication (for example MS-CHAP) authorization will fail, because Password in request items will not match password in check attributes. You should place Password attribute obtained from database into configure items and also place Auth-Type attribute with value of 'MS-CHAP' into same list. Same goes to NT-Password (before calling MS-CHAP Password attribute should be converted to NT-Password, it may be achieved by calling mschap module in authorization section after module which does actual authorization). -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
