802.1x ->Radius ->Ldap
jdennis at redhat.com
Fri Jun 18 22:50:53 CEST 2010
On 06/18/2010 04:03 PM, Kyle Plimack wrote:
> So how do I get pap to do it?
If you're asking how to you get pap to do mschap then that's a
Here is how things work:
The client sends you a radius auth request, you don't get to decide
what's in it, the client does.
The radius server looks the request and says
"hmmm... lets see what do we have here? What can I do with this?"
The answer to that is what auth types you have enabled, what the server
can lookup, and what's in the request.
The server will do something like this:
"Yo unix module, can you handle this one?"
"Hey pap module, can you handle this one?"
"Yo mschap module, can you handle this one?"
At some point hopefully one of the modules will say:
"No problem I got it"
The decision as to whether a module can handle the request is made by
the module by looking at the data available to it.
So lets say the client sends a request with a password and you've got
pap enabled. The pap module looks at the request and says
"hmmm ... do I have a password for this user"
if so then compare my copy of the password to what's in the request.
How does radius find a user's password? By consulting it's backend data
store which can be the users file, a SQL database, or ldap.
So before the pap module runs ldap will run. ldap says
"hmm... Can I find passwords for this user?" If so I'll add them to the
request as a check item so my dear friend the pap module can use them,
you know that pap guy, he's always looking for passwords.
But WAIT! What if the client sends a MSCHAP request? What does the
radius server say then?
"Well that's a fine kettle of fish! That client has really really tied
my hands on this one" The only thing the server can do is run the mschap
The mshap module looks the request to see if there is a check item with
either a clear text password or nt-hash (why? look at the protocol
table). If those haven't been added by one of the datastores the mschap
"Sorry boss, no can do"
But now the server has run out of options, it's only choice was mschap
because that's what the client sent it and the mscap module can't handle
it. So the server replies:
"Loser! You ain't getting in here with those credentials" (Well really
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Users