want to authorise but not authenticate
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Wed Jul 8 11:33:22 CEST 2009
On 8/7/09 10:19, A.L.M.Buxey at lboro.ac.uk wrote:
> hi,
>
> heres one for a wednesday morning.
>
>
> we have a system that we've been done plain authorizations
> via FreeRADIUS - the device sends the following RADIUS request
>
> username: userid
> password: userid
>
> (ie the system sends the username and makes the password the same)
>
> okay. fair enough....a bit of unlang and a check that if the username = password
> then set the Auth-Type to something false et voila. all okay.
>
>
> it has now been decided to also do authentication via RADIUS
> and this is where things get messy.
>
>
> by removing the Auth-Type kludge, we can successfully authenticate
> a real user with their real password.... however, the authorization
> now fails because the device still sends username/password with
> the password the same as the username - this now hits the
> FreeRADIUS server which cannot find a valid Auth-Type for the user
> and thus fails authentication and therefore sends back a 'blurgh'
> to the box requesting authorization.
authorize {
if((User-Name == User-Password) && %{ldap:etc...}){
update control {
Auth-Type := 'NULL'
}
}
else {
// Authentication modules
}
}
Auth-Type NULL {
ok
}
>
> this is to be expected because there is nothing in the request to
> distoniguish between an authorization request and an authentication
> request.
>
> so the question is, how do we handle this so that the system can
> send a username=password for authorization AND a proper authentication
> can happen WITHOUT (hers a gotcha) the user doing something cute
> like putting their username in as their password! ;-)
Slightly confused as to what you want... Try again without the caffeine ?
Arran
--
Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
More information about the Freeradius-Users
mailing list