Skip to content
Permalink
Browse files

doc: some tweaks

  • Loading branch information
jpereira authored and alandekok committed Aug 7, 2019
1 parent 169bfeb commit 6127ac07cad33348d5af9e623faa8db034775af7
Showing with 21 additions and 24 deletions.
  1. +14 −14 doc/introduction/aaa.adoc
  2. +0 −3 doc/introduction/home.adoc
  3. +7 −7 doc/upgrade/README.adoc
@@ -28,12 +28,12 @@ the ability to use that kind of authentication.

Authentication is simply a process of comparing user’s credentials in
request with credentials stored in database. Authentication usually
deals with password encryption. PAP, CHAP, MS-CHAP are authentication
deals with password encryption. `PAP`, `CHAP`, `MS-CHAP` are authentication
modules. Few modules act as both authorization and authentication. For
example, the MS-CHAP module is normally authentication only, but it may
be used during authorization to verify that request contains MS-CHAP
related attribute and only in this case perform MS-CHAP based
authentication. LDAP is normally an authorization module, but it may be
example, the `MS-CHAP` module is normally authentication only, but it may
be used during authorization to verify that request contains `MS-CHAP`
related attribute and only in this case perform `MS-CHAP` based
authentication. `LDAP` is normally an authorization module, but it may be
used for authentication (In this case FreeRADIUS will authenticate user
in case he can connect to LDAP server with his account). SQL is only an
authorization module, as dial-in users are not normally given passwords
@@ -43,7 +43,7 @@ to access an SQL server.

During authorization and authentication processes, there are 3 lists of
RADIUS attributes supported by FreeRADIUS: request items, config items
and reply items. (See `man 5 users' for additional information.)
and reply items. (See `man 5 users` for additional information.)
Attributes from the RADIUS authentication request packet are included
into request items list. Both authorization and authentication modules
can add attributes into reply items list. These attributes will be added
@@ -55,11 +55,11 @@ Before authorization begins FreeRADIUS creates request items list with
attributes from request and empty config and reply lists.

An authorization module searches a database with attributes
(e.g. User-Name) taken from request list as a key, and fetches all
(e.g. `User-Name`) taken from request list as a key, and fetches all
relevant records. It retrieves 3 types of attributes: check attributes,
configure attributes and reply attributes. It compares the check
attributes with attributes from request items. If none of database
record for this User-Name matches in check attributes with request items
record for this `User-Name` matches in check attributes with request items
authorization will fail. If a matching record is found, then the
configure attributes will be added to configure items, and the reply
attributes will be added to reply items list. The check list may be
@@ -68,27 +68,27 @@ services (for example to treat User1 from NAS1 and User1 from NAS2 as
different users).

There should be at list one configure attribute provided by
authorization module, called Auth-Type (since this attribute is from
authorization module, called `Auth-Type` (since this attribute is from
config items list it can’t be in request or reply). This attribute
decides which module will be used to authenticate the user. The Config
items also contains information from database required to authenticate
user, for example valid user’s password or it’s hash, login
restrictions, etc.

A quite common mistake is to place the attributes in the wrong lists,
for example placing Auth-Type, Password, NT-Password etc in the check
for example placing `Auth-Type`, `Password`, `NT-Password` etc in the check
list, or in the reply list. When run in debugging mode, the server will
normally issue `WARNING' messages saying that the attributes are in the
normally issue `WARNING` messages saying that the attributes are in the
wrong list.

If you place Password into check list and user does cleartext
authentication it may work, because authorization module compares 2
cleartext passwords. But if user does some encrypted authentication (for
example MS-CHAP), then the authorization will fail, because the Password
example `MS-CHAP`), then the authorization will fail, because the Password
in the request items will not match the password in the check
attributes. You should place Password attribute obtained from database
into configure items and also place Auth-Type attribute with value of
`MS-CHAP' into same list. The same goes for NT-Password (before calling
MS-CHAP Password attribute should be converted to NT-Password, it may be
`MS-CHAP` into same list. The same goes for `NT-Password` (before calling
`MS-CHAP` Password attribute should be converted to `NT-Password`, it may be
achieved by calling mschap module in authorization section after module
which does actual authorization).
@@ -5,6 +5,3 @@ List with some articles related to RADIUS.
## Topics

* link:aaa.adoc[AAA]
// Copyright (C) 2019 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// Development of this documentation was sponsored by Network RADIUS SAS.
@@ -10,11 +10,11 @@ contain a step-by-step process for upgrading the server.
In general, we have the following changes:

* most module configuration is very close to v3.
* most of the `+unlang+` processing is very close to v3.
* each `+server+` section need a `+namespace+` parameter.
* Packet processing sections are now `+recv Access-Request+`, etc. Not
`+authorize+`, etc.
* each `+listen+` section needs to be converted to the v4 format.
* most of the `unlang` processing is very close to v3.
* each `server` section need a `namespace` parameter.
* Packet processing sections are now `recv Access-Request`, etc. Not
`authorize`, etc.
* each `listen` section needs to be converted to the v4 format.
== Upgrading from older versions

@@ -24,8 +24,8 @@ When upgrading, please start with the default configuration of v4. Then,
move your v3 configuration over, one module at a time. Check this file
for differences in module configuration, and update the module to use
the new configuration. Start the server after every change via
`+radiusd -XC+` to see if the configuration is OK. Then, convert the
`+listen+` sections, followed by the `+server+` sections.
`radiusd -XC` to see if the configuration is OK. Then, convert the
`listen` sections, followed by the `server` sections.

Take your time. It is better to make small incrementatal progress, than
to make massive changes, and then to spend weeks debugging it.

0 comments on commit 6127ac0

Please sign in to comment.
You can’t perform that action at this time.