[strongSwan] xauth authentication backend

Michael Schwartzkopff ms at sys4.de
Tue Oct 1 12:13:09 CEST 2019


Am 30.09.19 um 11:58 schrieb Noel Kuntze:
> Hello,
>
> You can express arbitrary authentication logic in FreeRADIUS. I do not know if you can do checks in parallel to save time
> or if FreeRADIUS does that by itself automatically already.
>
> No, you can't load plugins at runtime.
>
> (Yeah, mixed top and bottom posting like pros)
>
> Kind regards
>
> Noel
>
> Am 30.09.19 um 10:39 schrieb Michael Schwartzkopff:
>> Am 30.09.19 um 10:00 schrieb Christoph Harder:
>>> Hello,
>>>
>>> thank you for the help so far.
>>>
>>> Is the local RADIUS server the recommend approach or would it be
>>> possible to write a custom xauth-plugin?
>>>
>>> I suspect most RADIUS servers do provide a way to do authentication by
>>> database (e.g. a locally running SQL database) or directory (LDAP and
>>> Active Directory) and possibly more backends, but not necessarily both
>>> at the same time using an OR operation (user is either member of the
>>> correct user group in the directory or found in a local database).
>>>
>>> Is there a way to load plugins dynamically at runtime?
>>>
>>> Best regards,
>>> Christoph Harder
>> FreeRADIUS offers the possibility to authenticate against several
>> backends. The lastest versions also offer the possibility to have a
>> syntax like "this or that"
>>
>>
>>
>>> Am 27.09.19 um 17:37 schrieb Noel Kuntze:
>>>> Hello,
>>>>
>>>> You will need to go through a local RADIUS server, in which you need
>>>> to implement your custom authentication logic
>>>> (meaning the checking against all those different backends). You'll
>>>> use the eap-radius plugin for that, which will
>>>> then automatically also forward all XAUTH authentications to the
>>>> configured RADIUS server.
>>>>
>>>> Multiple authentication rounds means that the client actively
>>>> participates in every of those rounds and each one
>>>> has to succeed, meaning it has to be aware of those. In your case,
>>>> that evidently won't work for you.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>>>>> Hi,
>>>>>
>>>>> You can check out multiple authentication rounds, it will provide
>>>>> with chain authentication using multiple backends.
>>>>>
>>>>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder
>>>>> <charder at telco-tech.de <mailto:charder at telco-tech.de>> wrote:
>>>>>
>>>>>      Hello everybody,
>>>>>
>>>>>      currently I do have the problem, that I need to setup xauth but
>>>>> with a
>>>>>      custom authentication backend. To be more specific, I need to
>>>>> check if a
>>>>>      user that tries to authenticate with xauth exists in one of
>>>>> multiple
>>>>>      backends and if his/her credentials are correct (e.g.
>>>>> simultaniously
>>>>>      looking in a local DB, one or more LDAP directories and/or a
>>>>> RADIUS server).
>>>>>
>>>>>      Is there any way to perform custom authentication and
>>>>> authorization?
>>>>>
>>>>>      Sadly PAM is not an option/not available on this system.
>>>>>
>>>>>      The ext-auth plugin is missing the password, so I can't use it
>>>>> to check
>>>>>      if the user actually provided the correct credentials only if
>>>>> he/she
>>>>>      exists and is authorized to connect.
>>>>>
>>>>>      Best regards,
>>>>>      Christoph Harder
>>>>>
>>>>>      --
>>>>>      TELCO TECH GmbH
>>>>>      Niederlassung Berlin
>>>>>      Mädewalder Weg 2
>>>>>      12621 Berlin
>>>>>      Tel.: +49 30 565862610
>>>>>      Web: www.telco-tech.de <http://www.telco-tech.de>
>>>>>      Amtsgericht Potsdam-Stadt HRB 55 79
>>>>>      Geschäftsführung:
>>>>>      Bernd Schulz
>>>>>      Silke Schirmer
>>>>>
>> Mit freundlichen Grüßen,
>>
FreeRADIUS docu for redundant / failover backend authentication (or more
general: modules):

https://wiki.freeradius.org/config/Fail-over



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191001/9505e226/attachment.sig>


More information about the Users mailing list