(RADIATOR) Group checking *only* with AuthBy UNIX?
Hugh Irvine
hugh at open.com.au
Wed Jun 15 20:37:06 CDT 2005
Hello Ray -
You don't say what AuthBy clause you are going to use for the
MSCHAPv2 - can you tell me what you are planning to use?
It would also be useful to see the existing configuration file to be
able to make sensible suggestions.
regards
Hugh
On 16 Jun 2005, at 10:24, Ray Van Dolson wrote:
> I'm trying to add in some authentication support for a client that
> is already
> using Radiator. They use AuthBy UNIX in conjunction with an AuthBy
> FILE to
> determine group membership of users and return the appropriate reply
> attributes.
>
> However, the authentication I need to set up uses MSCHAPv2 so
> obviously I
> cannot use UNIX authentication for this since the passwords are not in
> plaintext.
>
> The provisioning scripts this client uses creates a Unix account
> for other
> reasons -- shell, web access, ftp, etc, and also sets the group
> membership
> based on the account type in their billing system. I'm not keen on
> changing
> drastically how their process works, so I want to know if I can
> somehow still
> make use of the user's Unix group membership, without having
> authentication
> fail because of the non-clear-text password, and make use of the Group
> returned in my reply attributes list.
>
> For example, I have the following entry in their users file:
>
> DEFAULT Auth-Type = System, Group = wirccrc
> MS-MPPE-Encryption-Policy = Encryption-Required,
> Acct-Interim-Interval = 300,
> Ascend-Data-Rate = 4000000,
> Ascend-Xmit-Rate = 2000000
>
> With the current setup, this will attempt to authenticate against
> the AuthBy
> block with identifier of System -- which happens to be an AuthBy
> UNIX block.
> In an ideal world, the authentication succeeds and the user's group
> membership
> is returned. If it matches wirccrc, the attributes listed above
> are returned.
>
> However, since I'm using MSCHAPv2, authentication fails. Any
> "default" way to
> bypass the authentication failure and pull in the group for use
> with the Group
> check attribute?
>
> As far as I understand I can only use Group with AuthBy types of
> SYSTEM or
> UNIX, so if the above isn't easily possible, some alternate
> suggestions would
> be appreciated.
>
> Thanks,
> Ray
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list