Re: WebDAV HTTP Auth to RADIUS, possible?

2006-09-01 Thread Samuel Degrande 

Michael Check wrote:

On 8/31/06, Michael Check <[EMAIL PROTECTED]> wrote:

WebDAV will allow either Basic or Digest (it uses the same HTTP Auth
mechanism that Apache provides) so I think it will work.  Even with
DAV On, you can have AuthType Basic - so my assumption at this point
is that it will work.  I'll report back to the list.


I'm having difficulty getting Basic authentication done with 
mod_auth_radius


Here is the http conf directives used:



AddRadiusAuth 127.0.0.1:1812 testing123 5:3

AddRadiusCookieValid 5






   AllowOverride None
   Options None

   AuthType Basic
   AuthName "Calendars"
#AuthAuthoritative Off
   AuthRadiusAuthoritative On
   AuthRadiusCookieValid 5
   AuthRadiusActive On

   require valid-user
   

   


Our configuration for Apache 1.3 (but it was for https authentication, 
not for WebDAV...) was


AuthAuthoritative on
AuthRadiusAuthoritative on


As far as I remember the order of module declaration was also important. 
We had :


LoadModule access_module libexec/mod_access.so
LoadModule radius_auth_module libexec/mod_auth_radius.so
LoadModule auth_module libexec/mod_auth.so


Hope it will help you

--
Samuel Degrande   LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3
Phone: (33)3.28.77.85.30  USTL - Universite de Lille 1
Fax:   (33)3.28.77.85.37  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WebDAV HTTP Auth to RADIUS, possible?

2006-08-30 Thread Samuel Degrande 

Michael Check wrote:

Is it possible to set up an Apache 1.3 server with WebDAV to
authenticate to a freeRADIUS?

Ideally, I would like to tell the Apache directives to look at
freeRADIUS for authentication using the httpd.conf file.

Has anyone ever done this or able to point me in a direction?  Is it
even possible?

We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing
off an Active Directory master.



I don't know a lot about WebDAV, but I think that it uses classical
Apache authentication mecanism, right ?

Then, you could use mod_auth_radius 
(http://www.freeradius.org/mod_auth_radius),
or use a PAM authentication + a PAM radius module 
(http://www.freeradius.org/pam_radius_auth)


--
Samuel Degrande   LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3
Phone: (33)3.28.77.85.30  USTL - Universite de Lille 1
Fax:   (33)3.28.77.85.37  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

A small question...

2005-12-29 Thread Samuel Degrande 

Hello everybody, I wish you a merry christmas.

I have one small question, something I don't understand, and I didn't
found any explication nowhere :

I have something like this :

--- radiusd.conf

authorization {
...
etc_smbpasswd
files
...
}

--- users

DEFAULT Auth-Type != MS-CHAP .
DEFAULT Auth=Type == MS-CHAP .


In the debug output of radiusd, I see something like :

rlm_passwd: Added LM-Password: '' to config_items 
rlm_passwd: Added NT-Password: '' to config_items 
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items 
rlm_passwd: Adding "Auth-Type = MS-CHAP"


That's done before the mod_call to 'files'. However, there's no matched entry
in 'users'. 


What does it mean ? Why is not Auth-Type set to MS-CHAP before to
look at 'users' ? 


Is there a doc somewhere that precisely describes how the server chains things ?
But perhaps it's a big secret, a kind of graal that only
radius core developpers can touch ? :-) However, a public version could be 
really helpfull...

--
Samuel Degrande   LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3
Phone: (33)3.28.77.85.30  USTL - Universite de Lille 1
Fax:   (33)3.28.77.85.37  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS/PAP and proxying

2005-12-05 Thread Samuel Degrande 

Hello.

I have one other question concerning proxying, and once again
excuse me if I don't use the good terminology.

I use EAP-TTLS/PAP between a 802.1X supplicant and a radius
server. I would like to proxy the authentication to an other
radius server. So, is it possible to 'decapsulate' the authentication
protocol from EAP on the first radius server, and only send
user-name/user-password attributes to the central radius server ?

(i guess that my question is stupid, but I don't know how
to express it in the good way...)

thanks

--
Samuel Degrande   LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3
Phone: (33)3.28.77.85.30  USTL - Universite de Lille 1
Fax:   (33)3.28.77.85.37  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuring a proxied and local authentication

2005-12-02 Thread Samuel Degrande 

Alan DeKok wrote:

Samuel Degrande <[EMAIL PROTECTED]> wrote:


I don't find a way to add a NAS-Identifier value inside the proxied
request, so that B server could check it...



  That's because the NAS didn't send it.  FreeRADIUS doesn't add one,
so...



I tried:
 Proxy-To-Realm := , NAS-Identifier := 
and
 Proxy-To-Realm := , NAS-Identifier += 



  That won't work in the "users" file.  You have to set the
NAS-Identifier in the preproxy_users file.


works just fine. thanks a lot !





How to configure the A server so that if B rejects the request, then
A will check in a local user base (through pam) ?



  That's a little harder.  The server isn't designed to do that easily.



arghhh... but even if it's not easy, is there a solution ? :-)

I did think of a hack, but it's not really a good solution I guess :
- use a pam authentication, and
- write a specific pam_radius module which will first request
 the remote radius server and then search in the local user base...



  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Samuel Degrande   LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3
Phone: (33)3.28.77.85.30  USTL - Universite de Lille 1
Fax:   (33)3.28.77.85.37  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Configuring a proxied and local authentication

2005-12-02 Thread Samuel Degrande 

Hello.

Fist, I would like to apologize if my question is really too simple,
but I think that I don't exactly understand the configuration philosophy
of freeradius.

I did configure one radius server (A) to proxy incoming requests to an other
radius server (B, this later one using pam).

First question:
I don't find a way to add a NAS-Identifier value inside the proxied
request, so that B server could check it...

I tried:
 Proxy-To-Realm := , NAS-Identifier := 
and
 Proxy-To-Realm := , NAS-Identifier += 

(i'm using radtest to check my configuration, perhaps it's the problem ?)


Second question:

How to configure the A server so that if B rejects the request, then
A will check in a local user base (through pam) ?


As I said, I'm just perhaps too bad, and did not understand how all this
thing works, but please help me anyway :-) 


Thanks.

--
Samuel Degrande   LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3
Phone: (33)3.28.77.85.30  USTL - Universite de Lille 1
Fax:   (33)3.28.77.85.37  59655 VILLENEUVE D'ASCQ CEDEX - FRANCE
[CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ]


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html