Active Directory and authorize section

[Brian Candler]

On Wed, Feb 02, 2011 at 07:23:39AM -0800, Brett Littrell wrote:
>        Very interesting, I would have thought Authenticate came first then
>    Authorize since you need to authenticate in order to be authorized.

The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is
both a request for authentication and authorization.  An Access-Reject could
mean either that you weren't authenticated, or that you're not authorized
for the service you wanted.

FreeRADIUS runs boths sections of its config before sending the reply,
because generally authentication needs some data to authenticate, and that
data normally comes from the same place as the authorization data.

>    If
>    that is the case and say you pull the vlan ids from ldap, or some other
>    directory, how would Freeradius know what those values are prior to
>    knowing who you are?

It knows who you *claim* to be (User-Name), so can use that to look up the
reply attributes.  It doesn't know you actually *are* that person yet, but
it won't send back an Access-Accept until it does.

>    Or are you saying that the way the program loads
>    the config the authorize section simply gets read first?

The authorize section gets executed first; I don't think it makes any
difference what order you put them in the config file.

Regards,

Brian.