Two times authorization and/or both proxying and serving
Sorry I forgot the subject !!! Here it goes again! Hi friends! I speak from the tongue of an engineering student in a research group trying to implement a RADIUS proxy system. My doubt is: can a freeradius server do first an authorization of a request throught a DB (i.e MySQL) and proxy then if so or reject it (if all isn't in rule)? I mean, summarizing: Can a request be authenticated/authorized for two times? We want only to accept access if each one of the two servers process the authentication successfully. Thanks in advance for all the support you can give us, hope to hear from you Marc (Nets Research Group [Pompeu Fabra University]) _________________________________________________________________ Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con MSN Entretenimiento. http://entretenimiento.msn.es/
"Mark Supersonik" <marcsupersonic@hotmail.com> wrote:
My doubt is: can a freeradius server do first an authorization of a request throught a DB (i.e MySQL) and proxy then if so or reject it (if all isn't in rule)?
Yes.
We want only to accept access if each one of the two servers process the authentication successfully.
MySQL doesn't do authentication. Your statement is incorrect. Alan DeKok.
First of all, thanks for your help !!! We appreciate so much!! Let me explain that the misunderstanding of the sentence is probably much a problem of my poor acaedemichal english semantics. Well, I will explain the scenario I told again, trying to do it finnest possible: We have a proxy Radius that must proxy or reject the request depending on if the authserver's WISP has quota on our system. Inside proxy, we must forward the incoming request from a roaming user to a domain authserv ONLY AND ONLY IF we can verify WISP-domain has a prepaid quota in proxy's database. We want so to programme the pre-proxy block in order to determine if the request must be proxied to the final authserv or must be reject by the proxy. How can we implement this functionality from a technical point of view? Can we use a module in pre-proxy state? Or we only have the solution of programme JRadius handling the incoming request to proxy? Or maybe the logical solution is to use exec module? We need a little more help...sorry and thanks a lot from all the stuff here!!! Nets Research Group (Pompeu Fabra University of Barcelona)
From: "Alan DeKok" <aland@ox.org> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Two times authorization and/or both proxying and serving Date: Thu, 30 Mar 2006 13:19:30 -0500
"Mark Supersonik" <marcsupersonic@hotmail.com> wrote:
My doubt is: can a freeradius server do first an authorization of a request throught a DB (i.e MySQL) and proxy then if so or reject it (if all isn't in rule)?
Yes.
We want only to accept access if each one of the two servers process the authentication successfully.
MySQL doesn't do authentication. Your statement is incorrect.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil.
I know I'm a little bit tedious, but i need your help, please... I need to find the cheapest way to reject a request in proxy radius in the case that a domain doesn't has quota. If domain has quota, the proxy must forward the request to the corresponding authserv and finish the cycle in its natural porpose. Sorry for my bad english, i'm trying to write it as clearest as i can!
From: "Mark Supersonik" <marcsupersonic@hotmail.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: freeradius-users@lists.freeradius.org Subject: Re: Two times authorization and/or both proxying and serving Date: Fri, 31 Mar 2006 12:00:54 +0200
First of all, thanks for your help !!! We appreciate so much!! Let me explain that the misunderstanding of the sentence is probably much a problem of my poor acaedemichal english semantics.
Well, I will explain the scenario I told again, trying to do it finnest possible:
We have a proxy Radius that must proxy or reject the request depending on if the authserver's WISP has quota on our system. Inside proxy, we must forward the incoming request from a roaming user to a domain authserv ONLY AND ONLY IF we can verify WISP-domain has a prepaid quota in proxy's database. We want so to programme the pre-proxy block in order to determine if the request must be proxied to the final authserv or must be reject by the proxy.
How can we implement this functionality from a technical point of view? Can we use a module in pre-proxy state? Or we only have the solution of programme JRadius handling the incoming request to proxy? Or maybe the logical solution is to use exec module?
We need a little more help...sorry and thanks a lot from all the stuff here!!!
Nets Research Group (Pompeu Fabra University of Barcelona)
From: "Alan DeKok" <aland@ox.org> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Two times authorization and/or both proxying and serving Date: Thu, 30 Mar 2006 13:19:30 -0500
"Mark Supersonik" <marcsupersonic@hotmail.com> wrote:
My doubt is: can a freeradius server do first an authorization of a request throught a DB (i.e MySQL) and proxy then if so or reject it (if all isn't in rule)?
Yes.
We want only to accept access if each one of the two servers process the authentication successfully.
MySQL doesn't do authentication. Your statement is incorrect.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil.
"Mark Supersonik" <marcsupersonic@hotmail.com> wrote:
I need to find the cheapest way to reject a request in proxy radius in the case that a domain doesn't has quota. If domain has quota, the proxy must forward the request to the corresponding authserv and finish the cycle in its natural porpose.
Write a shell script to do this. Without a more detailed description of *how* you check if a domain has enough quota, it's impossible to give a better answer. Alan DeKok.
Thank you very much for this answer... We will check the domains quota by a query into Mysql table located in proxy's own database Thank you in advance for the help you can give us!!!
From: "Alan DeKok" <aland@ox.org> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Two times authorization and/or both proxying and serving Date: Mon, 03 Apr 2006 19:24:42 -0400
"Mark Supersonik" <marcsupersonic@hotmail.com> wrote:
I need to find the cheapest way to reject a request in proxy radius in the case that a domain doesn't has quota. If domain has quota, the proxy must forward the request to the corresponding authserv and finish the cycle in its natural porpose.
Write a shell script to do this.
Without a more detailed description of *how* you check if a domain has enough quota, it's impossible to give a better answer.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con MSN Entretenimiento. http://entretenimiento.msn.es/
Sorry, when you talk about script, are you talking about my own rlm_modules_X through rlm_example???
From: "Mark Supersonik" <marcsupersonic@hotmail.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: freeradius-users@lists.freeradius.org Subject: Re: Two times authorization and/or both proxying and serving Date: Tue, 04 Apr 2006 10:47:19 +0200
Thank you very much for this answer... We will check the domains quota by a query into Mysql table located in proxy's own database Thank you in advance for the help you can give us!!!
From: "Alan DeKok" <aland@ox.org> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Two times authorization and/or both proxying and serving Date: Mon, 03 Apr 2006 19:24:42 -0400
"Mark Supersonik" <marcsupersonic@hotmail.com> wrote:
I need to find the cheapest way to reject a request in proxy radius in the case that a domain doesn't has quota. If domain has quota, the proxy must forward the request to the corresponding authserv and finish the cycle in its natural porpose.
Write a shell script to do this.
Without a more detailed description of *how* you check if a domain has enough quota, it's impossible to give a better answer.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Dale rienda suelta a tu tiempo libre. Mil ideas para exprimir tu ocio con MSN Entretenimiento. http://entretenimiento.msn.es/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Horóscopo, tarot, numerología... Escucha lo que te dicen los astros. http://astrocentro.msn.es/
participants (2)
-
Alan DeKok -
Mark Supersonik