[strongSwan] xauth authentication backend
charder at telco-tech.de
Mon Sep 30 10:00:46 CEST 2019
thank you for the help so far.
Is the local RADIUS server the recommend approach or would it be
possible to write a custom xauth-plugin?
I suspect most RADIUS servers do provide a way to do authentication by
database (e.g. a locally running SQL database) or directory (LDAP and
Active Directory) and possibly more backends, but not necessarily both
at the same time using an OR operation (user is either member of the
correct user group in the directory or found in a local database).
Is there a way to load plugins dynamically at runtime?
Am 27.09.19 um 17:37 schrieb Noel Kuntze:
> You will need to go through a local RADIUS server, in which you need to implement your custom authentication logic
> (meaning the checking against all those different backends). You'll use the eap-radius plugin for that, which will
> then automatically also forward all XAUTH authentications to the configured RADIUS server.
> Multiple authentication rounds means that the client actively participates in every of those rounds and each one
> has to succeed, meaning it has to be aware of those. In your case, that evidently won't work for you.
> Kind regards
> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>> You can check out multiple authentication rounds, it will provide with chain authentication using multiple backends.
>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder <charder at telco-tech.de <mailto:charder at telco-tech.de>> wrote:
>> Hello everybody,
>> currently I do have the problem, that I need to setup xauth but with a
>> custom authentication backend. To be more specific, I need to check if a
>> user that tries to authenticate with xauth exists in one of multiple
>> backends and if his/her credentials are correct (e.g. simultaniously
>> looking in a local DB, one or more LDAP directories and/or a RADIUS server).
>> Is there any way to perform custom authentication and authorization?
>> Sadly PAM is not an option/not available on this system.
>> The ext-auth plugin is missing the password, so I can't use it to check
>> if the user actually provided the correct credentials only if he/she
>> exists and is authorized to connect.
>> Best regards,
>> Christoph Harder
>> TELCO TECH GmbH
>> Niederlassung Berlin
>> Mädewalder Weg 2
>> 12621 Berlin
>> Tel.: +49 30 565862610
>> Web: www.telco-tech.de <http://www.telco-tech.de>
>> Amtsgericht Potsdam-Stadt HRB 55 79
>> Bernd Schulz
>> Silke Schirmer
TELCO TECH GmbH
Mädewalder Weg 2
Tel.: +49 30 565862610
Amtsgericht Potsdam-Stadt HRB 55 79
More information about the Users