0

I've freeradius server which uses MySQL to store the data.

following is my database 

radcheck table
+-----+----------+--------------------+----+--------------+
| id  | username | attribute          | op | value        |
+-----+----------+--------------------+----+--------------+
| 474 | varun    | Cleartext-Password | := | sunshine3003 |
+-----+----------+--------------------+----+--------------+


radreply table
+----+----------+--------------+----+-------+
| id | username | attribute    | op | value |
+----+----------+--------------+----+-------+
|  1 | varun    | Fall-Through | =  | Yes   |
+----+----------+--------------+----+-------+


radgroupcheck table
+----+-----------+-----------+----+-------+
| id | groupname | attribute | op | value |
+----+-----------+-----------+----+-------+
|  1 | group1    | Auth-Type | := | PAP |
|  2 | eapgroup  | Auth-Type | := | EAP   |
+----+-----------+-----------+----+-------+


radusergroup table
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| varun    | eapgroup  |        1 |
| varun    | group1    |        2 |
+----------+-----------+----------+

We have two different clients which uses two different Authentication types with free radius , One uses PAP and sends the Password in User-Password attribute.

and another client user EAP and sends the password in EAP-Message and Message-Authenticator

What i want is, when PAP fails to authenticate or when User-Password attribute is not present it should use EAP as Auth-Type and if EAP and Message-Authenticator are not present in radius attribute it should reply with Access-reject or Authentication failure message.

Any help will be appreciated

Varun Taliyan
  • 1
  • 1
  • 5

1 Answers1

0

You shouldn't set control:Auth-Type manually. This attribute is there so that modules in the authorize section can communicate with the rest of the server the type of authentication that should be run in the authenticate section.

In order to set Auth-Type based on attributes you should list the pap, eap etc... modules in turn in the authorize section, they'll check if the requisite attributes were in the request and determine the correct Auth-Type value.

If you want to make a policy to restrict certain users to certain types of authentication then set Auth-Type in the reply list (radgroupreply table), and check which Auth-Type has been set at the end of the authorize section.

authorize {
    eap
    pap
    sql

    if (control:Auth-Type != reply:Auth-Type) {
        reject
    }
}
Arran Cudbard-Bell
  • 5,912
  • 2
  • 26
  • 48