Help to understand how FreeRADIUS works and works ...
Help to understand how FreeRADIUS works and works ...
Under the cut my observations and considerations.
Once upon a time, I successfully set up freeradius + freenibs on manuals, especially not understanding what it does and how it works.
Now there is an inverse problem :)
Analyzing the radius config, and delving into its structure, I understood the following:
(correct me in the places where I am mistaken)
So a number of questions arise:
')
I would be grateful for any comments and clarifications on how freerius works.
Maybe, based on the results of understanding all this, I will write an article in my head.
Under the cut my observations and considerations.
Once upon a time, I successfully set up freeradius + freenibs on manuals, especially not understanding what it does and how it works.
Now there is an inverse problem :)
Analyzing the radius config, and delving into its structure, I understood the following:
(correct me in the places where I am mistaken)
1) The radius of almost every sneeze has a module that performs one or more of the following things at once: authentication, authorization, accounting, and a few more rare actions.
2) modules, although they have the same interface to the program, serve different purposes
3) The radius config consists of several parts, such as:
modules {} - setting module parameters
authorize {}
authenticate {}
accounting {}
and a few less important ones.
4) depending on which part (authorize, authenticate, accounting) the module name stands in - its corresponding function is called ... Ie the module can also act as an authenticator, and an authorizer, and also be engaged in accounting.
So a number of questions arise:
1) What is the difference between authorize and authenticate. what action do the modules described respectively in each of them.
2) there are modules pap, chap, mschap - I do not understand where they get the data for authentication? and whether they generally do user authentication. or all the same authorization? I confuse these concepts.
3) actually, from where did the need arise to deal with the radius: you need to do external authentication through a third-party program. it is known that she needs to give a login to the input, and a user password, and at the output she will work as a radius module - will return 0, 1, ... and attribute pairs. For this, I found the exec module - but for some reason the simplest program in the body of which only int main (...) {exit (0);} does not authorize users.
')
I would be grateful for any comments and clarifications on how freerius works.
Maybe, based on the results of understanding all this, I will write an article in my head.
Source: https://habr.com/ru/post/51882/
All Articles