Re: WebDAV HTTP Auth to RADIUS, possible?
Michael Check wrote: On 8/31/06, Michael Check <[EMAIL PROTECTED]> wrote: WebDAV will allow either Basic or Digest (it uses the same HTTP Auth mechanism that Apache provides) so I think it will work. Even with DAV On, you can have AuthType Basic - so my assumption at this point is that it will work. I'll report back to the list. I'm having difficulty getting Basic authentication done with mod_auth_radius Here is the http conf directives used: AddRadiusAuth 127.0.0.1:1812 testing123 5:3 AddRadiusCookieValid 5 AllowOverride None Options None AuthType Basic AuthName "Calendars" #AuthAuthoritative Off AuthRadiusAuthoritative On AuthRadiusCookieValid 5 AuthRadiusActive On require valid-user Our configuration for Apache 1.3 (but it was for https authentication, not for WebDAV...) was AuthAuthoritative on AuthRadiusAuthoritative on As far as I remember the order of module declaration was also important. We had : LoadModule access_module libexec/mod_access.so LoadModule radius_auth_module libexec/mod_auth_radius.so LoadModule auth_module libexec/mod_auth.so Hope it will help you -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WebDAV HTTP Auth to RADIUS, possible?
Michael Check wrote: Is it possible to set up an Apache 1.3 server with WebDAV to authenticate to a freeRADIUS? Ideally, I would like to tell the Apache directives to look at freeRADIUS for authentication using the httpd.conf file. Has anyone ever done this or able to point me in a direction? Is it even possible? We're using freeRadius 1.1.0 on OSX.4, successfully authenticatiing off an Active Directory master. I don't know a lot about WebDAV, but I think that it uses classical Apache authentication mecanism, right ? Then, you could use mod_auth_radius (http://www.freeradius.org/mod_auth_radius), or use a PAM authentication + a PAM radius module (http://www.freeradius.org/pam_radius_auth) -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A small question...
Hello everybody, I wish you a merry christmas. I have one small question, something I don't understand, and I didn't found any explication nowhere : I have something like this : --- radiusd.conf authorization { ... etc_smbpasswd files ... } --- users DEFAULT Auth-Type != MS-CHAP . DEFAULT Auth=Type == MS-CHAP . In the debug output of radiusd, I see something like : rlm_passwd: Added LM-Password: '' to config_items rlm_passwd: Added NT-Password: '' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items rlm_passwd: Adding "Auth-Type = MS-CHAP" That's done before the mod_call to 'files'. However, there's no matched entry in 'users'. What does it mean ? Why is not Auth-Type set to MS-CHAP before to look at 'users' ? Is there a doc somewhere that precisely describes how the server chains things ? But perhaps it's a big secret, a kind of graal that only radius core developpers can touch ? :-) However, a public version could be really helpfull... -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS/PAP and proxying
Hello. I have one other question concerning proxying, and once again excuse me if I don't use the good terminology. I use EAP-TTLS/PAP between a 802.1X supplicant and a radius server. I would like to proxy the authentication to an other radius server. So, is it possible to 'decapsulate' the authentication protocol from EAP on the first radius server, and only send user-name/user-password attributes to the central radius server ? (i guess that my question is stupid, but I don't know how to express it in the good way...) thanks -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring a proxied and local authentication
Alan DeKok wrote: Samuel Degrande <[EMAIL PROTECTED]> wrote: I don't find a way to add a NAS-Identifier value inside the proxied request, so that B server could check it... That's because the NAS didn't send it. FreeRADIUS doesn't add one, so... I tried: Proxy-To-Realm := , NAS-Identifier := and Proxy-To-Realm := , NAS-Identifier += That won't work in the "users" file. You have to set the NAS-Identifier in the preproxy_users file. works just fine. thanks a lot ! How to configure the A server so that if B rejects the request, then A will check in a local user base (through pam) ? That's a little harder. The server isn't designed to do that easily. arghhh... but even if it's not easy, is there a solution ? :-) I did think of a hack, but it's not really a good solution I guess : - use a pam authentication, and - write a specific pam_radius module which will first request the remote radius server and then search in the local user base... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring a proxied and local authentication
Hello. Fist, I would like to apologize if my question is really too simple, but I think that I don't exactly understand the configuration philosophy of freeradius. I did configure one radius server (A) to proxy incoming requests to an other radius server (B, this later one using pam). First question: I don't find a way to add a NAS-Identifier value inside the proxied request, so that B server could check it... I tried: Proxy-To-Realm := , NAS-Identifier := and Proxy-To-Realm := , NAS-Identifier += (i'm using radtest to check my configuration, perhaps it's the problem ?) Second question: How to configure the A server so that if B rejects the request, then A will check in a local user base (through pam) ? As I said, I'm just perhaps too bad, and did not understand how all this thing works, but please help me anyway :-) Thanks. -- Samuel Degrande LIFL - UMR8022 CNRS - INRIA Futurs - Bat M3 Phone: (33)3.28.77.85.30 USTL - Universite de Lille 1 Fax: (33)3.28.77.85.37 59655 VILLENEUVE D'ASCQ CEDEX - FRANCE [CA certs: http://igc.services.cnrs.fr/CNRS-Standard/recherche.html ] smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html