System flow - a typical request

This article explains the internal flow of an authentication request made by a Firewall, typically a VPN login. Please note that this is a logical explanation. No configuration is explained here.

System setup

The system is set up to listen for authentication requests from a defined firewall on port 1812. A single PhenixID server node will handle all authentication.

Deployed modules apart from the default modules are the RADIUS module, in order to communicate with the firewall.

Request - Response

The request is sent from the firewall to the PhenixID server with the request to authenticate the user. Within the request the user has provided their user name and password. The RADIUS module accepts the request and translates the request from a RADIUS format to an internal format. Since no data validation/user authentication is done at RADIUS module, the translated request is sent down to the event/message bus with the target of "data manipulation" module, PIPES (com.phenixidentity~phenix-pipes).

Once the request is put on the event bus the RADIUS module is ready to serve the next external request from any client.

The PIPES module receives the translated request and handles it according to current configuration. On the end of execution, PIPES module responds to the requestor with OK/NO OK depending of the outcome. Additional data may also be added to the response. The response is most often send back to the original requestor, the FW in this case.

The RADIUS module interprets the response from PIPES module and act accordingly, sends accept/reject to the FW in this case.


Request - Response