Re: sql - Replacing User-Password in
This is a discussion on Re: sql - Replacing User-Password in within the FreeRADIUS Users forums, part of the Networking and Network Related category; TZieleniewski wrote: > the authorize section is the section which defines procedures > responsible for granting a user an access ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-01-2007
|
|||
|
|||
Re: sql - Replacing User-Password in
TZieleniewski wrote:
> the authorize section is the section which defines procedures > responsible for granting a user an access to specific type of service. > For instance if we use sql or files module in authorize section we can > intuitivly imagine that they do some checks about user data. > For instance checks if data are present in the users file or in the data > base. yes > And then in the authentication section they are for innstance > authenticate with the pap module wich makes the verification between the > data > received from access packet and those taken from the users file or data > base. yes > but there is another situation a little bit confusing when we for > instance call the chap, mschap or ldap modules in the authorize section > and then > in the authenticate section. Does it work this way that somehow those > modules know that they are invoked in different phases(authorize, > authenticate) Yes. Taking e.g. "mschap" as an example - during the "authorize" phase, the module looks at the request and does this: * IF the ms-chap-challenge and ms-chap-response attributes exist * THEN set Auth-Type = MS-CHAP During the "authenticate" phase it says: * Get ms-chap-challenge * Get User-Password from "config" items * Compute correct response * If corrct == ms-chap-response: ... > and perform different operations according to the needs?? Or for > instance the digest module what those the authorize section really do?? > Does it take any data from the users file ?? Or it just check the data > format and stuff?? > for instance > > authorise { > preprocess > chap > mschap > } > > authenticate { > authtype PAP { > pap > } > authtype CHAP { > chap > } > authtype MS-CHAP{ > mschap > } > } > > I can really get the filling of those authtype declarations in the authenticate section > Im sure that few words of explanation will make me to understand everything. Basically, the *algorithm* modules just check to see if they're applicable to a request during authorize. If they are applicable they arrange to run themselves again during authenticate, *after* data for authentication has been added to the request. Hope that helps - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
