DEVHIDE
Login Or Sign up

Use two Auth-Type PAP and EAP with FreeRadius

4.9k Views Asked by At

I've freeradius server which uses MySQL to store the data.

following is my database 

radcheck table
+-----+----------+--------------------+----+--------------+
| id  | username | attribute          | op | value        |
+-----+----------+--------------------+----+--------------+
| 474 | varun    | Cleartext-Password | := | sunshine3003 |
+-----+----------+--------------------+----+--------------+


radreply table
+----+----------+--------------+----+-------+
| id | username | attribute    | op | value |
+----+----------+--------------+----+-------+
|  1 | varun    | Fall-Through | =  | Yes   |
+----+----------+--------------+----+-------+


radgroupcheck table
+----+-----------+-----------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+-----------+----+-------+
|  1 | group1    | Auth-Type | := | PAP |
|  2 | eapgroup  | Auth-Type | := | EAP   |
+----+-----------+-----------+----+-------+


radusergroup table
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| varun    | eapgroup  |        1 |
| varun    | group1    |        2 |
+----------+-----------+----------+

We have two different clients which uses two different Authentication types with free radius , One uses PAP and sends the Password in User-Password attribute.

and another client user EAP and sends the password in EAP-Message and Message-Authenticator

What i want is, when PAP fails to authenticate or when User-Password attribute is not present it should use EAP as Auth-Type and if EAP and Message-Authenticator are not present in radius attribute it should reply with Access-reject or Authentication failure message.

Any help will be appreciated

mysql authentication radius freeradius radius-protocol
Original Q&A
1

There are 1 best solutions below

0
On

You shouldn't set control:Auth-Type manually. This attribute is there so that modules in the authorize section can communicate with the rest of the server the type of authentication that should be run in the authenticate section.

In order to set Auth-Type based on attributes you should list the pap, eap etc... modules in turn in the authorize section, they'll check if the requisite attributes were in the request and determine the correct Auth-Type value.

If you want to make a policy to restrict certain users to certain types of authentication then set Auth-Type in the reply list (radgroupreply table), and check which Auth-Type has been set at the end of the authorize section.

authorize {
    eap
    pap
    sql

    if (control:Auth-Type != reply:Auth-Type) {
        reject
    }
}

Related Questions in MYSQL

Related Questions in AUTHENTICATION

Related Questions in RADIUS

Related Questions in FREERADIUS

Related Questions in RADIUS-PROTOCOL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.