Re: [Help-gnu-radius] authentication methods

[Sergey Poznyakoff]

> I have some questions about how the GNU Radius server decide to authenticate
> a user.

This process is described in the node 'Operation' of the accompanying
documentation. (See online version at
http://www.gnu.org/software/radius/manual/html_node/radius_12.html#SEC15)

More specifically:

> Do the Radius server decide to authenticate a user based on the "User-Name"
> from the incoming packets?

Username is used as a search key to raddb/users file (after processing
hints and huntgroups -- see above). When looking up an entry in
raddb/users, the order is as follows:

1) Process BEGIN entries (if any). Go to 2 if there are no BEGIN
   entries or reply-pairs of the matched BEGIN entry contained
   Fall-Through=Yes. Otherwise go to 4.
2) If an entry exists that matches the username exactly, process it.
   If its reply-pairs contained Fall-Through=Yes go to 3. Otherwise
   go to 4.
3) Process DEFAULT entries. Each DEFAULT entry is compared against the
   request in order of their appearance in raddb/users. When the entry
   is found which matches the request, it is used for authentication.
4) End.

> Or the Radius server try every authentication methods in turn?
No, it never does.

Regards,
Sergey