Authentication Before Authorization
Hi Alan D Can we do authentication before authorization in v3.0 ? Thanks
Hi Alan D. i wish to process authentication section before authorization & then accounting. We want to authenticate CPE (Motorola SM) using EAP (working) and then authorize using MAC address from a database. if not found, redirect to a URL. But it is other way around, authorize section is read first and authentication. Thanks / Regards On Fri, Sep 26, 2014 at 11:18 AM, Alan DeKok <aland@deployingradius.com> wrote:
Russell Mike wrote:
Can we do authentication before authorization in v3.0 ?
I'm not sure what that means.
What do you want to accomplish?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Russell Mike wrote:
i wish to process authentication section before authorization & then accounting. We want to authenticate CPE (Motorola SM) using EAP (working) and then authorize using MAC address from a database. if not found, redirect to a URL.
That can be done in the post-auth section. EAP uses multiple round trips, so you *don't* want to be looking up the MAC in the DB for every packet. Once is good enough. You can just put a SELECT statement into post-auth: post-auth { ... if ("%{sql:SELECT ...}") { # found } else { # re-direct to URL ??? } ... } Put the MAC into a table by itself. There's no need to use the standard FreeRADIUS schema. A simpler one can be simpler. And RADIUS doesn't do URL redirection. The AP has to support that. So if the AP documentation doesn't say it does URL redirection... it's not possible. That's what hotspots are for. They can do IP layer filtering and redirection. It's impossible to do that in standard RADIUS. Alan DeKok.
Wonderful !! quality of information was superb. Understood !! Thanks / Regards RM -- On Fri, Sep 26, 2014 at 2:58 PM, Alan DeKok <aland@deployingradius.com> wrote:
Russell Mike wrote:
i wish to process authentication section before authorization & then accounting. We want to authenticate CPE (Motorola SM) using EAP (working) and then authorize using MAC address from a database. if not found, redirect to a URL.
That can be done in the post-auth section. EAP uses multiple round trips, so you *don't* want to be looking up the MAC in the DB for every packet. Once is good enough.
You can just put a SELECT statement into post-auth:
post-auth { ...
if ("%{sql:SELECT ...}") { # found } else { # re-direct to URL ??? } ... }
Put the MAC into a table by itself. There's no need to use the standard FreeRADIUS schema. A simpler one can be simpler.
And RADIUS doesn't do URL redirection. The AP has to support that. So if the AP documentation doesn't say it does URL redirection... it's not possible.
That's what hotspots are for. They can do IP layer filtering and redirection. It's impossible to do that in standard RADIUS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Russell Mike