[strongSwan] xauth authentication backend

Fri Oct 4 14:24:13 CEST 2019

Hello again,

we decided against a FreeRADIUS server for the moment, though it is 
definitely planned for the future.

I've written a tiny plugin that allows loading of a custom library for 
authentication and authorization.
It differs from the ext-auth plugin by
- allowing the use of a library function instead of a script or program
- allowing authentication instead of being limited to authorization

Is anyone interested in such a plugin/would you be interested in 
including such a plugin with Strongswan in the future?

Best regards,
Christoph Harder

Am 01.10.19 um 12:22 schrieb Christoph Harder:
> Hello everybody,
> 
> thank you very much, I'll have a look into FreeRADIUS for authentication.
> 
> Best regards,
> Christoph
> 
> TELCO TECH GmbH
> Niederlassung Berlin
> Mädewalder Weg 2
> 12621 Berlin
> Tel.: +49 30 565862610
> Web: www.telco-tech.de
> Amtsgericht Potsdam-Stadt HRB 55 79
> Geschäftsführung:
> Bernd Schulz
> Silke Schirmer
> 
> Am 01.10.19 um 12:13 schrieb Michael Schwartzkopff:
>> Am 30.09.19 um 11:58 schrieb Noel Kuntze:
>>> Hello,
>>>
>>> You can express arbitrary authentication logic in FreeRADIUS. I do 
>>> not know if you can do checks in parallel to save time
>>> or if FreeRADIUS does that by itself automatically already.
>>>
>>> No, you can't load plugins at runtime.
>>>
>>> (Yeah, mixed top and bottom posting like pros)
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 30.09.19 um 10:39 schrieb Michael Schwartzkopff:
>>>> Am 30.09.19 um 10:00 schrieb Christoph Harder:
>>>>> Hello,
>>>>>
>>>>> thank you for the help so far.
>>>>>
>>>>> Is the local RADIUS server the recommend approach or would it be
>>>>> possible to write a custom xauth-plugin?
>>>>>
>>>>> I suspect most RADIUS servers do provide a way to do authentication by
>>>>> database (e.g. a locally running SQL database) or directory (LDAP and
>>>>> Active Directory) and possibly more backends, but not necessarily both
>>>>> at the same time using an OR operation (user is either member of the
>>>>> correct user group in the directory or found in a local database).
>>>>>
>>>>> Is there a way to load plugins dynamically at runtime?
>>>>>
>>>>> Best regards,
>>>>> Christoph Harder
>>>> FreeRADIUS offers the possibility to authenticate against several
>>>> backends. The lastest versions also offer the possibility to have a
>>>> syntax like "this or that"
>>>>
>>>>
>>>>
>>>>> Am 27.09.19 um 17:37 schrieb Noel Kuntze:
>>>>>> Hello,
>>>>>>
>>>>>> You will need to go through a local RADIUS server, in which you need
>>>>>> to implement your custom authentication logic
>>>>>> (meaning the checking against all those different backends). You'll
>>>>>> use the eap-radius plugin for that, which will
>>>>>> then automatically also forward all XAUTH authentications to the
>>>>>> configured RADIUS server.
>>>>>>
>>>>>> Multiple authentication rounds means that the client actively
>>>>>> participates in every of those rounds and each one
>>>>>> has to succeed, meaning it has to be aware of those. In your case,
>>>>>> that evidently won't work for you.
>>>>>>
>>>>>> Kind regards
>>>>>>
>>>>>> Noel
>>>>>>
>>>>>> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>>>>>>> Hi,
>>>>>>>
>>>>>>> You can check out multiple authentication rounds, it will provide
>>>>>>> with chain authentication using multiple backends.
>>>>>>>
>>>>>>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder
>>>>>>> <charder at telco-tech.de <mailto:charder at telco-tech.de>> wrote:
>>>>>>>
>>>>>>>       Hello everybody,
>>>>>>>
>>>>>>>       currently I do have the problem, that I need to setup xauth 
>>>>>>> but
>>>>>>> with a
>>>>>>>       custom authentication backend. To be more specific, I need to
>>>>>>> check if a
>>>>>>>       user that tries to authenticate with xauth exists in one of
>>>>>>> multiple
>>>>>>>       backends and if his/her credentials are correct (e.g.
>>>>>>> simultaniously
>>>>>>>       looking in a local DB, one or more LDAP directories and/or a
>>>>>>> RADIUS server).
>>>>>>>
>>>>>>>       Is there any way to perform custom authentication and
>>>>>>> authorization?
>>>>>>>
>>>>>>>       Sadly PAM is not an option/not available on this system.
>>>>>>>
>>>>>>>       The ext-auth plugin is missing the password, so I can't use it
>>>>>>> to check
>>>>>>>       if the user actually provided the correct credentials only if
>>>>>>> he/she
>>>>>>>       exists and is authorized to connect.
>>>>>>>
>>>>>>>       Best regards,
>>>>>>>       Christoph Harder
>>>>>>>
>>>>>>>       --
>>>>>>>       TELCO TECH GmbH
>>>>>>>       Niederlassung Berlin
>>>>>>>       Mädewalder Weg 2
>>>>>>>       12621 Berlin
>>>>>>>       Tel.: +49 30 565862610
>>>>>>>       Web: www.telco-tech.de <http://www.telco-tech.de>
>>>>>>>       Amtsgericht Potsdam-Stadt HRB 55 79
>>>>>>>       Geschäftsführung:
>>>>>>>       Bernd Schulz
>>>>>>>       Silke Schirmer
>>>>>>>
>>>> Mit freundlichen Grüßen,
>>>>
>> FreeRADIUS docu for redundant / failover backend authentication (or more
>> general: modules):
>>
>> https://wiki.freeradius.org/config/Fail-over
>>
>>
>>
>> Mit freundlichen Grüßen,
>>