Reimer Karlsen-Masur, DFN-CERT wrote:
> I appreciate the tables explaining the compatibility of authentication
> systems / protocols to password type compatibility from:
> But I am still confused about the relationship of these two tables to each
> other and how to use them.
> Is the following considered correct?
> 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple
> *password store*, only [table 1] if of interest.
> And freeradius is able to
> connect to the back end (if there is a rlm_<back-end-db> module available),
> authenticate itself with a special radius server account/user credential and
> to retrieve the password plus optionally some other attribute values if the
> radius server *itself* authenticates successfully with the back end DB. The
> radius server itself is then performing the user name/password check to
> accept or reject the authentication request of the user trying to connect.
> 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication
> oracle*, [table 2] tells me which authentication oracle system I can use
> (depending on the authentication protocol that the supplicant/client/user is
> and [table 1] tells me in which format the passwords need to be
> stored in the authentication oracle.
Yes. Except that PAP is compatible with all password formats. Also,
ntlm_auth is used on Windows, which stores passwords in cleartext or
NT-Hash format, and nothing else.
So after reading the "oracle" page, there's no need to go back to the
other page to see how to store the passwords.
> And freeradius is able to connect to
> the back end (if there is a rlm_<back-end-db> module available), to
> authenticate *with the user provided* credentials (username/password) and to
> optionally retrieve some attribute values if the *user* authenticated
> successfully against the authN oracle.
No. Authentication has nothing to do with retrieving other
information. When an authentication oracle is used, FreeRADIUS takes
the username && password, and hands them to the oracle. The oracle
returns yes/no, and nothing else.
> ps: There is probably a small typo in the column heading of [table 1]:
> 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted
> SHA1 hash (SSHA1)'
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html