[strongSwan] xauth authentication backend

Tue Oct 1 12:22:31 CEST 2019

Hello everybody,

thank you very much, I'll have a look into FreeRADIUS for authentication.

Best regards,
Christoph

TELCO TECH GmbH
Niederlassung Berlin
Mädewalder Weg 2
12621 Berlin
Tel.: +49 30 565862610
Web: www.telco-tech.de
Amtsgericht Potsdam-Stadt HRB 55 79
Geschäftsführung:
Bernd Schulz
Silke Schirmer

Am 01.10.19 um 12:13 schrieb Michael Schwartzkopff:
> Am 30.09.19 um 11:58 schrieb Noel Kuntze:
>> Hello,
>>
>> You can express arbitrary authentication logic in FreeRADIUS. I do not know if you can do checks in parallel to save time
>> or if FreeRADIUS does that by itself automatically already.
>>
>> No, you can't load plugins at runtime.
>>
>> (Yeah, mixed top and bottom posting like pros)
>>
>> Kind regards
>>
>> Noel
>>
>> Am 30.09.19 um 10:39 schrieb Michael Schwartzkopff:
>>> Am 30.09.19 um 10:00 schrieb Christoph Harder:
>>>> Hello,
>>>>
>>>> thank you for the help so far.
>>>>
>>>> Is the local RADIUS server the recommend approach or would it be
>>>> possible to write a custom xauth-plugin?
>>>>
>>>> I suspect most RADIUS servers do provide a way to do authentication by
>>>> database (e.g. a locally running SQL database) or directory (LDAP and
>>>> Active Directory) and possibly more backends, but not necessarily both
>>>> at the same time using an OR operation (user is either member of the
>>>> correct user group in the directory or found in a local database).
>>>>
>>>> Is there a way to load plugins dynamically at runtime?
>>>>
>>>> Best regards,
>>>> Christoph Harder
>>> FreeRADIUS offers the possibility to authenticate against several
>>> backends. The lastest versions also offer the possibility to have a
>>> syntax like "this or that"
>>>
>>>
>>>
>>>> Am 27.09.19 um 17:37 schrieb Noel Kuntze:
>>>>> Hello,
>>>>>
>>>>> You will need to go through a local RADIUS server, in which you need
>>>>> to implement your custom authentication logic
>>>>> (meaning the checking against all those different backends). You'll
>>>>> use the eap-radius plugin for that, which will
>>>>> then automatically also forward all XAUTH authentications to the
>>>>> configured RADIUS server.
>>>>>
>>>>> Multiple authentication rounds means that the client actively
>>>>> participates in every of those rounds and each one
>>>>> has to succeed, meaning it has to be aware of those. In your case,
>>>>> that evidently won't work for you.
>>>>>
>>>>> Kind regards
>>>>>
>>>>> Noel
>>>>>
>>>>> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>>>>>> Hi,
>>>>>>
>>>>>> You can check out multiple authentication rounds, it will provide
>>>>>> with chain authentication using multiple backends.
>>>>>>
>>>>>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder
>>>>>> <charder at telco-tech.de <mailto:charder at telco-tech.de>> wrote:
>>>>>>
>>>>>>       Hello everybody,
>>>>>>
>>>>>>       currently I do have the problem, that I need to setup xauth but
>>>>>> with a
>>>>>>       custom authentication backend. To be more specific, I need to
>>>>>> check if a
>>>>>>       user that tries to authenticate with xauth exists in one of
>>>>>> multiple
>>>>>>       backends and if his/her credentials are correct (e.g.
>>>>>> simultaniously
>>>>>>       looking in a local DB, one or more LDAP directories and/or a
>>>>>> RADIUS server).
>>>>>>
>>>>>>       Is there any way to perform custom authentication and
>>>>>> authorization?
>>>>>>
>>>>>>       Sadly PAM is not an option/not available on this system.
>>>>>>
>>>>>>       The ext-auth plugin is missing the password, so I can't use it
>>>>>> to check
>>>>>>       if the user actually provided the correct credentials only if
>>>>>> he/she
>>>>>>       exists and is authorized to connect.
>>>>>>
>>>>>>       Best regards,
>>>>>>       Christoph Harder
>>>>>>
>>>>>>       --
>>>>>>       TELCO TECH GmbH
>>>>>>       Niederlassung Berlin
>>>>>>       Mädewalder Weg 2
>>>>>>       12621 Berlin
>>>>>>       Tel.: +49 30 565862610
>>>>>>       Web: www.telco-tech.de <http://www.telco-tech.de>
>>>>>>       Amtsgericht Potsdam-Stadt HRB 55 79
>>>>>>       Geschäftsführung:
>>>>>>       Bernd Schulz
>>>>>>       Silke Schirmer
>>>>>>
>>> Mit freundlichen Grüßen,
>>>
> FreeRADIUS docu for redundant / failover backend authentication (or more
> general: modules):
> 
> https://wiki.freeradius.org/config/Fail-over
> 
> 
> 
> Mit freundlichen Grüßen,
> 