Active Directory and authorize section
Hi All, I'm trying to find out what to use (if anything) in the authorize section when authenticating clients via MSCHAP-v2 and AD credentials. The how-to at deployingradius.com only speaks to the authentication section. If I only want to ensure that the username/password credentials are valid do I need to run through authorize or just go straight to authenticate? Cheers, Harry
Hi,
I'm trying to find out what to use (if anything) in the authorize section when authenticating clients via MSCHAP-v2 and AD credentials.
The how-to at deployingradius.com only speaks to the authentication section.
If I only want to ensure that the username/password credentials are valid do I need to run through authorize or just go straight to authenticate?
authorise - CAN i use the network authenticate - is my ID and password correct once you get that and understand the very clear difference, then you can decide if you want to deal with authorise - and how to deal with it. alan
Right, I do understand the distinction which is why I asked the question. I didn't know if the tutorial just assumed everyone was authorized and then granted access as long as the userid/password matched AD or if there's something missing that should be addressed in authorize. Cheers, Harry On Tue, 2011-02-01 at 20:48 +0000, Alan Buxey wrote:
Hi,
I'm trying to find out what to use (if anything) in the authorize section when authenticating clients via MSCHAP-v2 and AD credentials.
The how-to at deployingradius.com only speaks to the authentication section.
If I only want to ensure that the username/password credentials are valid do I need to run through authorize or just go straight to authenticate?
authorise - CAN i use the network
authenticate - is my ID and password correct
once you get that and understand the very clear difference, then you can decide if you want to deal with authorise - and how to deal with it.
alan
Hi Harry, So this is the way I understand it. The authenticate section is used to just verify that you are who you are, via certs, username/password, token etc. The authorize section is where you define the sources for all the information you want FR to respond to. So to just authenticate someone you would just need the authenticate section but if you wanted FreeRadius to assign a user to a specific vlan then you need to configure where that information is coming from which is defined in the authorize section. For example, and this is a guess because I have never tried it. You can have AD as the authenticator in the authenticate section then have "local" in the authorization section. The AD makes sure Harry is Harry, if there is a user name Harry in the Local user file with information on what vlan he belongs to then it will send that information to the switch/router or what have you. Usually you set the Authenticate and authorize to the same servers though so the authenticate server pushes down the info for authorization as well. Anyway, I hope that helps and I am not giving you bad info:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Tuesday, February 01, 2011 at 1:07 PM, in message <1296594437.13427.45.camel@localhost.localdomain>, Harry Hoffman <hhoffman@ip-solutions.net> wrote:
Right, I do understand the distinction which is why I asked the question. I didn't know if the tutorial just assumed everyone was authorized and then granted access as long as the userid/password matched AD or if there's something missing that should be addressed in authorize. Cheers, Harry On Tue, 2011-02-01 at 20:48 +0000, Alan Buxey wrote:
Hi,
I'm trying to find out what to use (if anything) in the authorize section when authenticating clients via MSCHAP-v2 and AD credentials.
The how-to at deployingradius.com only speaks to the authentication section.
If I only want to ensure that the username/password credentials are valid do I need to run through authorize or just go straight to authenticate?
authorise - CAN i use the network
authenticate - is my ID and password correct
once you get that and understand the very clear difference, then you can decide if you want to deal with authorise - and how to deal with it.
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Feb 01, 2011 at 02:33:33PM -0800, Brett Littrell wrote:
The authenticate section is used to just verify that you are who you are, via certs, username/password, token etc. The authorize section is where you define the sources for all the information you want FR to respond to.
I'd say that's not exactly true, or is not very clear anyway. (1) freeradius always runs the authorize section first, then then authenticate section (2) the authorize section is where you do any sort of database lookups needed, both to determine the reply attributes to send (in case the user does authenticate successfully), and at the same time to find any information needed to perform user authentication, such as the expected password (Cleartext-Password in the control list) (3) the authenticate section normally uses that extra info to perform the authentication. If it fails, the reply attributes are stripped out and a reject is sent. Using ntlm_auth is a special case, in that it can authenticate without knowing the password: it delegates the whole authentication to a different database. That's fine, but if you don't have anything in your authorize section then you'll just be sending back an empty "Access-Accept" without any reply attributes. In some applications this may be sufficient. This sort of delegation is rather like proxying, and indeed, you can run IAS on your AD box and just proxy to it. IAS has a limitation of 50 RADIUS client IPs (unless you have Windows Server Enterprise edition), but fortunately each freeradius server you put in front of it only counts as one client :-) Regards, Brian.
Hey Brian, Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized. If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are? Or are you saying that the way the program loads the config the authorize section simply gets read first? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 02, 2011 at 12:05 AM, in message <20110202080557.GA2368@talktalkplc.com>, Brian Candler <B.Candler@pobox.com> wrote:
I'd say that's not exactly true, or is not very clear anyway. (1) freeradius always runs the authorize section first, then then authenticate section (2) the authorize section is where you do any sort of database lookups needed, both to determine the reply attributes to send (in case the user does authenticate successfully), and at the same time to find any information needed to perform user authentication, such as the expected password (Cleartext-Password in the control list) (3) the authenticate section normally uses that extra info to perform the authentication. If it fails, the reply attributes are stripped out and a reject is sent. Using ntlm_auth is a special case, in that it can authenticate without knowing the password: it delegates the whole authentication to a different database. That's fine, but if you don't have anything in your authorize section then you'll just be sending back an empty "Access-Accept" without any reply attributes. In some applications this may be sufficient. This sort of delegation is rather like proxying, and indeed, you can run IAS on your AD box and just proxy to it. IAS has a limitation of 50 RADIUS client IPs (unless you have Windows Server Enterprise edition), but fortunately each freeradius server you put in front of it only counts as one client :-) Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I was thinking about this too. Do we need separate ldap call to retrieve certain attributes from AD, and then use ntlm_auth for authentication? Schilling On Wed, Feb 2, 2011 at 10:23 AM, Brett Littrell <Blittrell@musd.org> wrote:
Hey Brian,
Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized. If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are? Or are you saying that the way the program loads the config the authorize section simply gets read first?
Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 02, 2011 at 12:05 AM, in message < 20110202080557.GA2368@talktalkplc.com>, Brian Candler <B.Candler@pobox.com> wrote: I'd say that's not exactly true, or is not very clear anyway.
(1) freeradius always runs the authorize section first, then then authenticate section
(2) the authorize section is where you do any sort of database lookups needed, both to determine the reply attributes to send (in case the user does authenticate successfully), and at the same time to find any information needed to perform user authentication, such as the expected password (Cleartext-Password in the control list)
(3) the authenticate section normally uses that extra info to perform the authentication. If it fails, the reply attributes are stripped out and a reject is sent.
Using ntlm_auth is a special case, in that it can authenticate without knowing the password: it delegates the whole authentication to a different database.
That's fine, but if you don't have anything in your authorize section then you'll just be sending back an empty "Access-Accept" without any reply attributes. In some applications this may be sufficient.
This sort of delegation is rather like proxying, and indeed, you can run IAS on your AD box and just proxy to it.
IAS has a limitation of 50 RADIUS client IPs (unless you have Windows Server Enterprise edition), but fortunately each freeradius server you put in front of it only counts as one client :-)
Regards,
Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Feb 02, 2011 at 07:23:39AM -0800, Brett Littrell wrote:
Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized.
The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is both a request for authentication and authorization. An Access-Reject could mean either that you weren't authenticated, or that you're not authorized for the service you wanted. FreeRADIUS runs boths sections of its config before sending the reply, because generally authentication needs some data to authenticate, and that data normally comes from the same place as the authorization data.
If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are?
It knows who you *claim* to be (User-Name), so can use that to look up the reply attributes. It doesn't know you actually *are* that person yet, but it won't send back an Access-Accept until it does.
Or are you saying that the way the program loads the config the authorize section simply gets read first?
The authorize section gets executed first; I don't think it makes any difference what order you put them in the config file. Regards, Brian.
Hi Brian, Thanks for explaining that, guess that makes sense for performance, load all the info right away and just wait for authentication to complete before sending from memory and not doing another query. Sorry, did not mean to derail this thread but I a appreciate the insight. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 02, 2011 at 9:01 AM, in message <20110202170140.GA12067@talktalkplc.com>, Brian Candler <B.Candler@pobox.com> wrote:
On Wed, Feb 02, 2011 at 07:23:39AM -0800, Brett Littrell wrote:
Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized.
The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is both a request for authentication and authorization. An Access-Reject could mean either that you weren't authenticated, or that you're not authorized for the service you wanted. FreeRADIUS runs boths sections of its config before sending the reply, because generally authentication needs some data to authenticate, and that data normally comes from the same place as the authorization data.
If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are?
It knows who you *claim* to be (User-Name), so can use that to look up the reply attributes. It doesn't know you actually *are* that person yet, but it won't send back an Access-Accept until it does.
Or are you saying that the way the program loads the config the authorize section simply gets read first?
The authorize section gets executed first; I don't think it makes any difference what order you put them in the config file. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2011/2/2 Brett Littrell <Blittrell@musd.org>
Hi Brian,
Thanks for explaining that, guess that makes sense for performance, load all the info right away and just wait for authentication to complete before sending from memory and not doing another query.
Sorry, did not mean to derail this thread but I a appreciate the insight.
Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 02, 2011 at 9:01 AM, in message < 20110202170140.GA12067@talktalkplc.com>, Brian Candler < B.Candler@pobox.com> wrote: On Wed, Feb 02, 2011 at 07:23:39AM -0800, Brett Littrell wrote: Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized.
The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is both a request for authentication and authorization. An Access-Reject could mean either that you weren't authenticated, or that you're not authorized for the service you wanted.
FreeRADIUS runs boths sections of its config before sending the reply, because generally authentication needs some data to authenticate, and that data normally comes from the same place as the authorization data.
If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are?
It knows who you *claim* to be (User-Name), so can use that to look up the reply attributes. It doesn't know you actually *are* that person yet, but it won't send back an Access-Accept until it does.
Or are you saying that the way the program loads the config the authorize section simply gets read first?
The authorize section gets executed first; I don't think it makes any difference what order you put them in the config file.
Regards,
Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Att, Maiquel
participants (6)
-
Alan Buxey -
Brett Littrell -
Brian Candler -
Harry Hoffman -
Maiquel Consalter -
schilling