<HTML><HEAD>
<META content="text/html; charset=iso-8859-15" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16671"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI">
<DIV>Hey Brian,</DIV>
<DIV> </DIV>
<DIV> Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized. If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are? Or are you saying that the way the program loads the config the authorize section simply gets read first?</DIV>
<DIV> </DIV>
<DIV>
<DIV>Brett Littrell</DIV>
<DIV>Network Manager</DIV>
<DIV>MUSD</DIV>
<DIV>CISSP, CCSP, CCVP, MCNE</DIV><BR><BR>>>> On Wednesday, February 02, 2011 at 12:05 AM, in message <20110202080557.GA2368@talktalkplc.com>, Brian Candler <B.Candler@pobox.com> wrote:<BR></DIV>
<TABLE style="MARGIN: 0px 0px 0px 15px; FONT-SIZE: 1em" border=0 bgColor=#f3f3f3>
<TBODY>
<TR>
<TD>
<DIV style="BORDER-LEFT: #050505 1px solid; PADDING-LEFT: 7px">I'd say that's not exactly true, or is not very clear anyway.<BR><BR>(1) freeradius always runs the authorize section first, then then<BR>authenticate section<BR><BR>(2) the authorize section is where you do any sort of database lookups<BR>needed, both to determine the reply attributes to send (in case the user<BR>does authenticate successfully), and at the same time to find any<BR>information needed to perform user authentication, such as the expected<BR>password (Cleartext-Password in the control list)<BR><BR>(3) the authenticate section normally uses that extra info to perform the<BR>authentication. If it fails, the reply attributes are stripped out and a<BR>reject is sent.<BR><BR>Using ntlm_auth is a special case, in that it can authenticate without<BR>knowing the password: it delegates the whole authentication to a different<BR>database.<BR><BR>That's fine, but if you don't have anything in your authorize section then<BR>you'll just be sending back an empty "Access-Accept" without any reply<BR>attributes. In some applications this may be sufficient.<BR><BR>This sort of delegation is rather like proxying, and indeed, you can run IAS<BR>on your AD box and just proxy to it.<BR><BR>IAS has a limitation of 50 RADIUS client IPs (unless you have Windows Server<BR>Enterprise edition), but fortunately each freeradius server you put in front<BR>of it only counts as one client :-)<BR><BR>Regards,<BR><BR>Brian.<BR>-<BR>List info/subscribe/unsubscribe? See <A href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</A><BR></DIV></TD></TR></TBODY></TABLE></BODY></HTML>