[strongSwan] xauth authentication backend
Michael Schwartzkopff
ms at sys4.de
Mon Sep 30 10:39:22 CEST 2019
Am 30.09.19 um 10:00 schrieb Christoph Harder:
> Hello,
>
> thank you for the help so far.
>
> Is the local RADIUS server the recommend approach or would it be
> possible to write a custom xauth-plugin?
>
> I suspect most RADIUS servers do provide a way to do authentication by
> database (e.g. a locally running SQL database) or directory (LDAP and
> Active Directory) and possibly more backends, but not necessarily both
> at the same time using an OR operation (user is either member of the
> correct user group in the directory or found in a local database).
>
> Is there a way to load plugins dynamically at runtime?
>
> Best regards,
> Christoph Harder
FreeRADIUS offers the possibility to authenticate against several
backends. The lastest versions also offer the possibility to have a
syntax like "this or that"
>
> Am 27.09.19 um 17:37 schrieb Noel Kuntze:
>> Hello,
>>
>> You will need to go through a local RADIUS server, in which you need
>> to implement your custom authentication logic
>> (meaning the checking against all those different backends). You'll
>> use the eap-radius plugin for that, which will
>> then automatically also forward all XAUTH authentications to the
>> configured RADIUS server.
>>
>> Multiple authentication rounds means that the client actively
>> participates in every of those rounds and each one
>> has to succeed, meaning it has to be aware of those. In your case,
>> that evidently won't work for you.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>>> Hi,
>>>
>>> You can check out multiple authentication rounds, it will provide
>>> with chain authentication using multiple backends.
>>>
>>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder
>>> <charder at telco-tech.de <mailto:charder at telco-tech.de>> wrote:
>>>
>>> Hello everybody,
>>>
>>> currently I do have the problem, that I need to setup xauth but
>>> with a
>>> custom authentication backend. To be more specific, I need to
>>> check if a
>>> user that tries to authenticate with xauth exists in one of
>>> multiple
>>> backends and if his/her credentials are correct (e.g.
>>> simultaniously
>>> looking in a local DB, one or more LDAP directories and/or a
>>> RADIUS server).
>>>
>>> Is there any way to perform custom authentication and
>>> authorization?
>>>
>>> Sadly PAM is not an option/not available on this system.
>>>
>>> The ext-auth plugin is missing the password, so I can't use it
>>> to check
>>> if the user actually provided the correct credentials only if
>>> he/she
>>> exists and is authorized to connect.
>>>
>>> Best regards,
>>> Christoph Harder
>>>
>>> --
>>> TELCO TECH GmbH
>>> Niederlassung Berlin
>>> Mädewalder Weg 2
>>> 12621 Berlin
>>> Tel.: +49 30 565862610
>>> Web: www.telco-tech.de <http://www.telco-tech.de>
>>> Amtsgericht Potsdam-Stadt HRB 55 79
>>> Geschäftsführung:
>>> Bernd Schulz
>>> Silke Schirmer
>>>
>>
>
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190930/83168fb1/attachment-0001.sig>
More information about the Users
mailing list