|
I'd say that's not exactly true, or is not very clear anyway. (1) freeradius always runs the authorize section first, then then authenticate section (2) the authorize section is where you do any sort of database lookups needed, both to determine the reply attributes to send (in case the user does authenticate successfully), and at the same time to find any information needed to perform user authentication, such as the expected password (Cleartext-Password in the control list) (3) the authenticate section normally uses that extra info to perform the authentication. If it fails, the reply attributes are stripped out and a reject is sent. Using ntlm_auth is a special case, in that it can authenticate without knowing the password: it delegates the whole authentication to a different database. That's fine, but if you don't have anything in your authorize section then you'll just be sending back an empty "Access-Accept" without any reply attributes. In some applications this may be sufficient. This sort of delegation is rather like proxying, and indeed, you can run IAS on your AD box and just proxy to it. IAS has a limitation of 50 RADIUS client IPs (unless you have Windows Server Enterprise edition), but fortunately each freeradius server you put in front of it only counts as one client :-) Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |