John T. Guthrie wrote: > As it turns out, I have a configuration that accomplishes all of this > *perfectly*.
If it works... > I should stress, this accomplishes *exactly* what I want. That said, it > also involves explicit setting of Auth-Type. I have seen in more than > one place that this is a Bad Thing(TM). It's a bad thing because 90% or more of the times people set Auth-Type, they get it wrong. It's easiest to have a blanket statement saying "Don't do that". And your configuration could be made simpler. You seem to always set Auth-Type = Kerberos, so that only needs to be set once, not for every user. Then, if you have a number of admins, the rules should be *role* based, not *name* based. i.e. use rlm_passwd to create an "admin" group, and then do: DEFAULT NAS-Port-Type == "Virtual", Local-Group != "admin", Auth-Type := Reject > My first question is how do I > accomplish what the above configuration does without this explicit > Auth-Type setting? You probably don't. > (Or is the above configuration marginally acceptable > because it only sets Auth-Type when it isn't already set?) Should I > only be defining one authentication module that involves User-PAssword? Yes, and no. > More generally, suppose that you have two different authentication > modules, say unix and krb5, that use User-Password. How does FreeRADIUS > tell which users are supposed to use unix and which are supposed to use > krb5? In the CVS head (which has been fixed), the "unix" module no longer authenticates anyone. Instead, it looks users up in /etc/passwd, and adds "Crypt-Password" to the config items. Then, rlm_pap authenticates them. This is *much* more flexible. > (Assuming that you want some to use one, and some to use the > other.) That is, how does RADIUS know what the "right thing" is in that > case with being told explicitly? RADIUS doesn't know how to do the "right thing", FreeRADIUS does, because we've put a lot of work into making it smart. :) In most cases, the choice of authentication protocols is simple: Look in the Access-Request packet... it's requesting a particular authentication protocol. So setting the authentication to any *other* method means that authentication will fail. When finding the authentication *credentials* (i.e. password, etc.), it's also usually pretty easy. Look up the user in /etc/passwd, or LDAP, or whatever. If the user is found, take the credentials from there, and associate them with the request. Then, you have an authentication protocol, and authentication credentials, so knowing what to do for the act of authentication is simple. The confusion comes when people misconstrue back-ends for authentication protocols. i.e. doing EAP to an LDAP server. It gets more complicated when using something like Kerberos, which does not supply authentication credentials. Instead, Kerberos is an "oracle" http://deployingradius.com/documents/protocols/oracles.html i.e. in a certain sense, you're proxying the authentication request to the Kerberos server. So it's a very different manner of setting Auth-Type than forcing LDAP when the Access-Request contains EAP. > P.S. Before anyone says anything, I have read the documentation. More > than once. It could very easily be that I have missed something totally > obvious though. I'll try to clarify this in my book. In addition, if anyone can figure out a clear way to configure this in the server, I'd like to know... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html