[strongSwan] xauth authentication backend
Christoph Harder
charder at telco-tech.de
Mon Sep 30 10:00:46 CEST 2019
Hello,
thank you for the help so far.
Is the local RADIUS server the recommend approach or would it be
possible to write a custom xauth-plugin?
I suspect most RADIUS servers do provide a way to do authentication by
database (e.g. a locally running SQL database) or directory (LDAP and
Active Directory) and possibly more backends, but not necessarily both
at the same time using an OR operation (user is either member of the
correct user group in the directory or found in a local database).
Is there a way to load plugins dynamically at runtime?
Best regards,
Christoph Harder
Am 27.09.19 um 17:37 schrieb Noel Kuntze:
> Hello,
>
> You will need to go through a local RADIUS server, in which you need to implement your custom authentication logic
> (meaning the checking against all those different backends). You'll use the eap-radius plugin for that, which will
> then automatically also forward all XAUTH authentications to the configured RADIUS server.
>
> Multiple authentication rounds means that the client actively participates in every of those rounds and each one
> has to succeed, meaning it has to be aware of those. In your case, that evidently won't work for you.
>
> Kind regards
>
> Noel
>
> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>> Hi,
>>
>> You can check out multiple authentication rounds, it will provide with chain authentication using multiple backends.
>>
>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder <charder at telco-tech.de <mailto:charder at telco-tech.de>> wrote:
>>
>> Hello everybody,
>>
>> currently I do have the problem, that I need to setup xauth but with a
>> custom authentication backend. To be more specific, I need to check if a
>> user that tries to authenticate with xauth exists in one of multiple
>> backends and if his/her credentials are correct (e.g. simultaniously
>> looking in a local DB, one or more LDAP directories and/or a RADIUS server).
>>
>> Is there any way to perform custom authentication and authorization?
>>
>> Sadly PAM is not an option/not available on this system.
>>
>> The ext-auth plugin is missing the password, so I can't use it to check
>> if the user actually provided the correct credentials only if he/she
>> exists and is authorized to connect.
>>
>> Best regards,
>> Christoph Harder
>>
>> --
>> TELCO TECH GmbH
>> Niederlassung Berlin
>> Mädewalder Weg 2
>> 12621 Berlin
>> Tel.: +49 30 565862610
>> Web: www.telco-tech.de <http://www.telco-tech.de>
>> Amtsgericht Potsdam-Stadt HRB 55 79
>> Geschäftsführung:
>> Bernd Schulz
>> Silke Schirmer
>>
>
--
TELCO TECH GmbH
Niederlassung Berlin
Mädewalder Weg 2
12621 Berlin
Tel.: +49 30 565862610
Web: www.telco-tech.de
Amtsgericht Potsdam-Stadt HRB 55 79
Geschäftsführung:
Bernd Schulz
Silke Schirmer
More information about the Users
mailing list