Reputation: 1
Use two Auth-Type PAP and EAP with FreeRadius
I've freeradius server which uses MySQL to store the data.
following is my database
radcheck table
+-----+----------+--------------------+----+--------------+
| id | username | attribute | op | value |
+-----+----------+--------------------+----+--------------+
| 474 | varun | Cleartext-Password | := | sunshine3003 |
+-----+----------+--------------------+----+--------------+
radreply table
+----+----------+--------------+----+-------+
| id | username | attribute | op | value |
+----+----------+--------------+----+-------+
| 1 | varun | Fall-Through | = | Yes |
+----+----------+--------------+----+-------+
radgroupcheck table
+----+-----------+-----------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+-----------+----+-------+
| 1 | group1 | Auth-Type | := | PAP |
| 2 | eapgroup | Auth-Type | := | EAP |
+----+-----------+-----------+----+-------+
radusergroup table
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| varun | eapgroup | 1 |
| varun | group1 | 2 |
+----------+-----------+----------+
We have two different clients which uses two different Authentication types with free radius , One uses PAP and sends the Password in User-Password attribute.
and another client user EAP and sends the password in EAP-Message and Message-Authenticator
What i want is, when PAP fails to authenticate or when User-Password attribute is not present it should use EAP as Auth-Type and if EAP and Message-Authenticator are not present in radius attribute it should reply with Access-reject or Authentication failure message.
Any help will be appreciated
Upvotes: 0
Views: 5271
Answers (1)
Reputation: 6065
You shouldn't set control:Auth-Type manually. This attribute is there so that modules in the authorize section can communicate with the rest of the server the type of authentication that should be run in the authenticate section.
In order to set Auth-Type based on attributes you should list the pap, eap etc... modules in turn in the authorize section, they'll check if the requisite attributes were in the request and determine the correct Auth-Type value.
If you want to make a policy to restrict certain users to certain types of authentication then set Auth-Type in the reply list (radgroupreply table), and check which Auth-Type has been set at the end of the authorize section.
authorize {
eap
pap
sql
if (control:Auth-Type != reply:Auth-Type) {
reject
}
}
Upvotes: 0
Related Questions
- FreeRadius - Failed binding to authentication address
- Freeradius EAP-PEAP with LDAP
- Freeradius users operators
- Freeradius + Openldap ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
- Multiple secrets per IP for radius client
- How to configure Freeradius to use PEAP as an outer method and EAP-TLS as the inner Method?
- how to configure FreeRADIUS to proxy the PAP request inside an EAP-TTLS tunnel
- [Freeradius][EAP] Issues using EAP-GTC for inner phase 2 authentication.
- FreeRADIUS - Allow some navigation before authentication
- freeRadius using EAP with custom auth script