Anyone want to comment before I add it to the wiki? No use adding it if it is that far off.
Peter Nixon wrote: > Hi Walt > > If you were to put this in the wiki you may even have other people help you > edit it ;-) > > Peter > > On Fri 02 Mar 2007 22:37, Walt Reynolds wrote: >> I have searched, but did not find what I was looking for, so trying to >> do my own flowchart of the process. Below is a written up flow that I >> want to try and convert to a graphical one. Can I please get some >> feedback on if this is not only the way it really works, but also if it >> is accurate. >> >> If someone has something like this I would be very grateful if you would >> pass it along to me. Just remember plagiarisms is the greatest form of >> flattery (I would give you credit either way if you wanted) >> >> Thanks. >> >> ======================================== >> 1. Request comes in (example) >> User-Name = "[EMAIL PROTECTED]" >> User-Password = "Password" >> NAS-IP-Address = 192.168.224.36 >> Service-Type = Login-User >> Framed-IP-Address = 198.168.225.72 >> Called-Station-Id = "00:07:E9:D1:8F:C2" >> Calling-Station-Id = "00:40:96:a7:00:14" >> NAS-Identifier = "box.lab" >> Acct-Session-Id = "00:07:E9:D1:8F:C2:117165661771" >> NAS-Port-Type = Wireless-802.11 >> >> 2. Looks in the authorize section of radius.conf >> ## authorize actually means is this request authorized to authenticate >> ##(does it match rules) >> preprocess ##This looks a the following files to add/coorelate >> ##the request to rules defined in later modules. >> huntgroups >> ##Matches based on NAS >> hints >> ##Matches on user >> auth_log ##This defines where the log will be >> suffix ##Defined as deliminater for proxying realms >> ## Finds realm (if listed, if so will be used >> ##starting in preproxy_users >> eap ##Set to define and perform EAP authentication (if in >> ##request) >> files ## Looks at the following files: >> users >> ##Used to decide how to AuthZ and AuthN >> ##users. Check items, >> if matched will >> ##add reply info to NAS >> ##if no specific match, will match >> ##DEFAULT >> ##User could move to >> acct_users >> ##Same as users file but for accounting. >> !!!***!!!If there is no realm defined at this part, it will >> >> preproxy_users >> ##Matches like users, but reply items >> ##added to proxied request to new NAS >> pre_proxy_log >> ##Allows you to log the pre-proxied >> ##request >> >> 3. Sent proxy request to radius server listed in proxy.conf if it did >> find a realm match (based on suffix/px.... >> 4. Receives reply >> a. Looks at post_proxy >> post_proxy_log >> ##Logs post proxy info if enabled >> attr_filter >> ##Allows you to filter what the proxied >> ##server sends back to NAS >> 5. Sends Accept/Deny to NAS (with all attributes added or filtered) >> 6. Accounting ---- > -- Walt Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
