[strongSwan] xauth authentication backend

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Sep 30 11:58:49 CEST 2019


You can express arbitrary authentication logic in FreeRADIUS. I do not know if you can do checks in parallel to save time
or if FreeRADIUS does that by itself automatically already.

No, you can't load plugins at runtime.

(Yeah, mixed top and bottom posting like pros)

Kind regards


Am 30.09.19 um 10:39 schrieb Michael Schwartzkopff:
> Am 30.09.19 um 10:00 schrieb Christoph Harder:
>> Hello,
>> thank you for the help so far.
>> Is the local RADIUS server the recommend approach or would it be
>> possible to write a custom xauth-plugin?
>> I suspect most RADIUS servers do provide a way to do authentication by
>> database (e.g. a locally running SQL database) or directory (LDAP and
>> Active Directory) and possibly more backends, but not necessarily both
>> at the same time using an OR operation (user is either member of the
>> correct user group in the directory or found in a local database).
>> Is there a way to load plugins dynamically at runtime?
>> Best regards,
>> Christoph Harder
> FreeRADIUS offers the possibility to authenticate against several
> backends. The lastest versions also offer the possibility to have a
> syntax like "this or that"
>> Am 27.09.19 um 17:37 schrieb Noel Kuntze:
>>> Hello,
>>> You will need to go through a local RADIUS server, in which you need
>>> to implement your custom authentication logic
>>> (meaning the checking against all those different backends). You'll
>>> use the eap-radius plugin for that, which will
>>> then automatically also forward all XAUTH authentications to the
>>> configured RADIUS server.
>>> Multiple authentication rounds means that the client actively
>>> participates in every of those rounds and each one
>>> has to succeed, meaning it has to be aware of those. In your case,
>>> that evidently won't work for you.
>>> Kind regards
>>> Noel
>>> Am 27.09.19 um 16:05 schrieb Felipe Arturo Polanco:
>>>> Hi,
>>>> You can check out multiple authentication rounds, it will provide
>>>> with chain authentication using multiple backends.
>>>> On Fri, Sep 27, 2019 at 7:38 AM Christoph Harder
>>>> <charder at telco-tech.de <mailto:charder at telco-tech.de>> wrote:
>>>>      Hello everybody,
>>>>      currently I do have the problem, that I need to setup xauth but
>>>> with a
>>>>      custom authentication backend. To be more specific, I need to
>>>> check if a
>>>>      user that tries to authenticate with xauth exists in one of
>>>> multiple
>>>>      backends and if his/her credentials are correct (e.g.
>>>> simultaniously
>>>>      looking in a local DB, one or more LDAP directories and/or a
>>>> RADIUS server).
>>>>      Is there any way to perform custom authentication and
>>>> authorization?
>>>>      Sadly PAM is not an option/not available on this system.
>>>>      The ext-auth plugin is missing the password, so I can't use it
>>>> to check
>>>>      if the user actually provided the correct credentials only if
>>>> he/she
>>>>      exists and is authorized to connect.
>>>>      Best regards,
>>>>      Christoph Harder
>>>>      --
>>>>      TELCO TECH GmbH
>>>>      Niederlassung Berlin
>>>>      Mädewalder Weg 2
>>>>      12621 Berlin
>>>>      Tel.: +49 30 565862610
>>>>      Web: www.telco-tech.de <http://www.telco-tech.de>
>>>>      Amtsgericht Potsdam-Stadt HRB 55 79
>>>>      Geschäftsführung:
>>>>      Bernd Schulz
>>>>      Silke Schirmer
> Mit freundlichen Grüßen,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190930/2c37d2ac/attachment.sig>

More information about the Users mailing list