That has to go in the wiki somewhere. That's possibly the best explanation of how FreeRADIUS processes requests I've ever heard... :)
-Arran On Jun 18, 2010, at 1:50 PM, John Dennis wrote: > On 06/18/2010 04:03 PM, Kyle Plimack wrote: >> So how do I get pap to do it? > > If you're asking how to you get pap to do mschap then that's a nonsensical > question. > > Here is how things work: > > The client sends you a radius auth request, you don't get to decide what's in > it, the client does. > > The radius server looks the request and says > > "hmmm... lets see what do we have here? What can I do with this?" > > The answer to that is what auth types you have enabled, what the server can > lookup, and what's in the request. > > The server will do something like this: > > "Yo unix module, can you handle this one?" > > "Hey pap module, can you handle this one?" > > "Yo mschap module, can you handle this one?" > > At some point hopefully one of the modules will say: > > "No problem I got it" > > The decision as to whether a module can handle the request is made by the > module by looking at the data available to it. > > So lets say the client sends a request with a password and you've got pap > enabled. The pap module looks at the request and says > > "hmmm ... do I have a password for this user" > > if so then compare my copy of the password to what's in the request. > > How does radius find a user's password? By consulting it's backend data store > which can be the users file, a SQL database, or ldap. > > So before the pap module runs ldap will run. ldap says > > "hmm... Can I find passwords for this user?" If so I'll add them to the > request as a check item so my dear friend the pap module can use them, you > know that pap guy, he's always looking for passwords. > > But WAIT! What if the client sends a MSCHAP request? What does the radius > server say then? > > "Well that's a fine kettle of fish! That client has really really tied my > hands on this one" The only thing the server can do is run the mschap logic. > > The mshap module looks the request to see if there is a check item with > either a clear text password or nt-hash (why? look at the protocol table). If > those haven't been added by one of the datastores the mschap module says: > > "Sorry boss, no can do" > > But now the server has run out of options, it's only choice was mschap > because that's what the client sent it and the mscap module can't handle it. > So the server replies: > > "Loser! You ain't getting in here with those credentials" (Well really > Auth-Reject) > > > > -- > John Dennis <jden...@redhat.com> > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
