Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
1.) in the users-file, I can only check for attributes provided by the request - correct?
Yes.
2.) in the users-file, if an entry matches all check-attributes, I can specify an Auth/Autz-Type - correct?
Yes.
3.) in the users-file, if I do not specify the Auth/Autz-Type the radius is taken the requested Type automatically - correct?
Sort of. The type may be set from another module.
4.) Authentication is comparing a password - correct?
No. Authentication is validating credentials. e.g. an EAP-TLS client certificate. No password is required.
5.) Authorization is even if a password is correct, the user may not use/do something - correct?
Yes.
6.) Authorization is done by providing appropriate reply-attributes - correct?
Sort of. Since there are multiple machines involved, there are multiple kinds of authorization. The server may decide you're not authorized to use that NAS, and reject you. Or, it may decide you're authorized, but you're only authorized to do certain things. So it returns reply attributes that tell the NAS to apply authorization rules. The NAS may then decide it doesn't like the servers response, and stil reject you.
I want to replay attributes according th some other information stored in LDAP - how can I do such a thing, like: IF ldap-attribute::xy == valid_1 THEN RETURN ldap-attribute::IP-good, ELSIF dap-attribute::xy == valid_2 THEN RETURN ldap-attribute::IP-better, ELSE RETURN ldap-attribute::IP-bad
Hmm... the first thing that comes to mind is the Perl module. Alan DeKok.