Thank you for your answer, I try to specify my problem mor clearly. Phil Mayers wrote:
Florian Prester wrote:
Hi,
1.) in the users-file, I can only check for attributes provided by the request - correct?
I think so
ok
2.) in the users-file, if an entry matches all check-attributes, I can specify an Auth/Autz-Type - correct?
yes
ok
3.) in the users-file, if I do not specify the Auth/Autz-Type the radius is taken the requested Type automatically - correct?
Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set Auth-Type based on the incoming requests e.g. the "mschap" modules sets Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the "chap" and "eap" modules. "pap" is a bit more complex and has changed in CVS head.
Generally, you should not set Auth-Type in the users file. It's a sign you're doing something wrong. Perhaps if you told us what you're trying to do?
ok
4.) Authentication is comparing a password - correct?
Not necessarily. If it's a PAP request, it's possible to check the plaintext password in the request by straight comparison, hashes comparison, or callout to another system (LDAP, PAM)
Other authentication mechanisms may perform cryptographic operations on passwords at the server and challenges from the NAS to generate the servers idea of the correct response and compare it to the client-supplied response (chap, mschap). Others still may reply to the NAS with a server-generated challenge (EAP).
ok
5.) Authorization is even if a password is correct, the user may not use/do something - correct?
No. That's the common meaning. The "authorize" section in FreeRadius is something else. Please read doc/aaa.txt
so, AFAIK authorization is retreiving user-information from a source?
6.) Authorization is done by providing appropriate reply-attributes - correct?
If you mean "user is OK, can/can't do something"-type "authorization", then yes some NASes can do that based on attributes in the radius reply.
Now the big question: If I have an user who is authenticate, meaning correct username + password whereas the password is stored in LDAP. I want to replay attributes according th some other information stored in LDAP - how can I do such a thing, like: IF ldap-attribute::xy == valid_1 THEN RETURN ldap-attribute::IP-good, ELSIF dap-attribute::xy == valid_2 THEN RETURN ldap-attribute::IP-better, ELSE RETURN ldap-attribute::IP-bad
I don't understand that I'm afraid. I think that's because your question is based on faulty assumptions about the meaning of FreeRadius "authorize" and "authenticate" sections. Please have a look at the docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ok, lets assume a user can authenticate because he/she supplys a valid username/password e.g. using PAP. Now the user is authenticated. But I want to allow access to something not only if the user is authenticated, but also if a given attribute is present in the users ldap enty. How can I do that? Thanks Florian -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Martensstr. 1 91052 Erlangen Germany Tel.: +499131 8527813