[strongSwan] xauth authentication backend

Christoph Harder charder at telco-tech.de
Mon Sep 30 10:00:46 CEST 2019 

Hello,

thank you for the help so far.

Is the local RADIUS server the recommend approach or would it be 
possible to write a custom xauth-plugin?

I suspect most RADIUS servers do provide a way to do authentication by 
database (e.g. a locally running SQL database) or directory (LDAP and 
Active Directory) and possibly more backends, but not necessarily both 
at the same time using an OR operation (user is either member of the 
correct user group in the directory or found in a local database).

Is there a way to load plugins dynamically at runtime?

Best regards,
Christoph Harder


Am 27.09.19 um 17:37 schrieb Noel Kuntze:
> Hello,
> 
> You will need to go through a local RADIUS server, in which you need to implement your custom authentication logic
> (meaning the checking against all those different backends). You'll use the eap-radius plugin for that, which will
> then automatically also forward all XAUTH authentications to the configured RADIUS server.
> 
> Multiple authentication rounds means that the client actively participates in every of those rounds and each one
> has to succeed, meaning it has to be aware of those. In your case, that evidently won't work for you.
> 
> Kind regards
> 
> Noel
> 
> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>> Hi,
>>
>> You can check out multiple authentication rounds, it will provide with chain authentication using multiple backends.
>>
>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder <charder at telco-tech.de <mailto:charder at telco-tech.de>> wrote:
>>
>>      Hello everybody,
>>
>>      currently I do have the problem, that I need to setup xauth but with a
>>      custom authentication backend. To be more specific, I need to check if a
>>      user that tries to authenticate with xauth exists in one of multiple
>>      backends and if his/her credentials are correct (e.g. simultaniously
>>      looking in a local DB, one or more LDAP directories and/or a RADIUS server).
>>
>>      Is there any way to perform custom authentication and authorization?
>>
>>      Sadly PAM is not an option/not available on this system.
>>
>>      The ext-auth plugin is missing the password, so I can't use it to check
>>      if the user actually provided the correct credentials only if he/she
>>      exists and is authorized to connect.
>>
>>      Best regards,
>>      Christoph Harder
>>
>>      --
>>      TELCO TECH GmbH
>>      Niederlassung Berlin
>>      Mädewalder Weg 2
>>      12621 Berlin
>>      Tel.: +49 30 565862610
>>      Web: www.telco-tech.de <http://www.telco-tech.de>
>>      Amtsgericht Potsdam-Stadt HRB 55 79
>>      Geschäftsführung:
>>      Bernd Schulz
>>      Silke Schirmer
>>
> 

-- 
TELCO TECH GmbH
Niederlassung Berlin
Mädewalder Weg 2
12621 Berlin
Tel.: +49 30 565862610
Web: www.telco-tech.de
Amtsgericht Potsdam-Stadt HRB 55 79
Geschäftsführung:
Bernd Schulz
Silke Schirmer

More information about the Users mailing list