1

I am using PrivacyIDEA's implementation of FreeRADIUS to send authentication requests to PrivacyIDEA. However, I'd like to locally authenticate a specific user if the request comes in. I've modified the users file to include the user and user password and modified the site configuration to include the files module. However, FreeRADIUS is still passing the request on to PrivacyIDEA. What am I missing here?

Debug output is here (Site wouldn't let me post it here): https://pastebin.com/raw/WAsXx4gN

Site Configuration

server {
    authorize {
        files
        update request {
            # Add the Packet Src IP to the request as client fallback
            Packet-Src-IP-Address = "%{Packet-Src-IP-Address}"
        }
        perl-privacyidea
        if (ok || updated) {
            update control {
                Auth-Type := Perl
            }
        }
    }
    listen {
        type = auth
        ipaddr = 10.97.11.51
        port = 1812
    }
    listen {
        type = acct
        ipaddr = 10.97.11.51
        port = 0
    }
    authenticate {
        files
        Auth-Type perl {
            perl-privacyidea
        }
        digest
    }
    accounting {
        detail
    }
}
ProfessionalDummy
  • 11
  • 1

1 Answers1

1

This is a quite good read: https://wiki.freeradius.org/guide/Concepts

During the authorize section FreeRADIUS will determine, if the request should be handled and how the user should be authenticated. The authorize section will always set the Auth-Type to Perl.

So we need to modify the authorize section and act accordingly in the authenticate section.

This could probably be optimized:

authorize {
    files
    if (ok) {
        # This means the user was found in "files" and the request should be handled accordingly
        update control {
            Auth-Type := F
        }
        ...
    } else {
        perl-privacyidea
        if (ok || update) {
            update control {
                Auth-Type := Perl
            }
        }
    }

This way we will either leave the authorize section with the Auth-Type set to "F" or to "Perl".

We then can use this in the authenticate section:

authenticate {
    Auth-Type F {
        # In case of F, authenticate the user by files
        files
    }
    Auth-Type Perl {
        perl-privacyidea
    }
}

This should give you the basic idea, might need some tweaking. But the request of a user authenticated by files should now not be passed to privacyIDEA.

cornelinux
  • 229
  • 1
  • 7