Reimer Karlsen-Masur, DFN-CERT wrote: > I appreciate the tables explaining the compatibility of authentication > systems / protocols to password type compatibility from: .... > But I am still confused about the relationship of these two tables to each > other and how to use them. > > Is the following considered correct? > > 1. If I am using the back end DB (e.g. ldap or users file, etc.) as a simple > *password store*, only [table 1] if of interest.
Yes. > And freeradius is able to > connect to the back end (if there is a rlm_<back-end-db> module available), > authenticate itself with a special radius server account/user credential and > to retrieve the password plus optionally some other attribute values if the > radius server *itself* authenticates successfully with the back end DB. The > radius server itself is then performing the user name/password check to > accept or reject the authentication request of the user trying to connect. Yes. > 2. If I am using the back end DB (e.g. ldap etc.) as an *authentication > oracle*, [table 2] tells me which authentication oracle system I can use > (depending on the authentication protocol that the supplicant/client/user is > using) Yes. > and [table 1] tells me in which format the passwords need to be > stored in the authentication oracle. Yes. Except that PAP is compatible with all password formats. Also, ntlm_auth is used on Windows, which stores passwords in cleartext or NT-Hash format, and nothing else. So after reading the "oracle" page, there's no need to go back to the other page to see how to store the passwords. > And freeradius is able to connect to > the back end (if there is a rlm_<back-end-db> module available), to > authenticate *with the user provided* credentials (username/password) and to > optionally retrieve some attribute values if the *user* authenticated > successfully against the authN oracle. No. Authentication has nothing to do with retrieving other information. When an authentication oracle is used, FreeRADIUS takes the username && password, and hands them to the oracle. The oracle returns yes/no, and nothing else. > ps: There is probably a small typo in the column heading of [table 1]: > 'SSHA1 hash' should be 'SHA1 hash' and 'Salted SSHA1 hash' should be 'Salted > SHA1 hash (SSHA1)' Fixed, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
