want to authorise but not authenticate
hi, heres one for a wednesday morning. we have a system that we've been done plain authorizations via FreeRADIUS - the device sends the following RADIUS request username: userid password: userid (ie the system sends the username and makes the password the same) okay. fair enough....a bit of unlang and a check that if the username = password then set the Auth-Type to something false et voila. all okay. it has now been decided to also do authentication via RADIUS and this is where things get messy. by removing the Auth-Type kludge, we can successfully authenticate a real user with their real password.... however, the authorization now fails because the device still sends username/password with the password the same as the username - this now hits the FreeRADIUS server which cannot find a valid Auth-Type for the user and thus fails authentication and therefore sends back a 'blurgh' to the box requesting authorization. this is to be expected because there is nothing in the request to distoniguish between an authorization request and an authentication request. so the question is, how do we handle this so that the system can send a username=password for authorization AND a proper authentication can happen WITHOUT (hers a gotcha) the user doing something cute like putting their username in as their password! ;-) alan
On 8/7/09 10:19, A.L.M.Buxey@lboro.ac.uk wrote:
hi,
heres one for a wednesday morning.
we have a system that we've been done plain authorizations via FreeRADIUS - the device sends the following RADIUS request
username: userid password: userid
(ie the system sends the username and makes the password the same)
okay. fair enough....a bit of unlang and a check that if the username = password then set the Auth-Type to something false et voila. all okay.
it has now been decided to also do authentication via RADIUS and this is where things get messy.
by removing the Auth-Type kludge, we can successfully authenticate a real user with their real password.... however, the authorization now fails because the device still sends username/password with the password the same as the username - this now hits the FreeRADIUS server which cannot find a valid Auth-Type for the user and thus fails authentication and therefore sends back a 'blurgh' to the box requesting authorization.
authorize { if((User-Name == User-Password) && %{ldap:etc...}){ update control { Auth-Type := 'NULL' } } else { // Authentication modules } } Auth-Type NULL { ok }
this is to be expected because there is nothing in the request to distoniguish between an authorization request and an authentication request.
so the question is, how do we handle this so that the system can send a username=password for authorization AND a proper authentication can happen WITHOUT (hers a gotcha) the user doing something cute like putting their username in as their password! ;-)
Slightly confused as to what you want... Try again without the caffeine ? Arran -- Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Hi,
authorize { if((User-Name == User-Password) && %{ldap:etc...}){ update control { Auth-Type := 'NULL' } } else { // Authentication modules } }
Auth-Type NULL { ok }
this is pretty uch what is already on the system - the trouble then is that people can then just login by using any account so long as the password is the same value eg hacker hacker they dont even need a valid account to actually authenticate. what we need is for the X=Y to work for authorise and then not give a damn about authentication - but, as said, looks like we cannot distinguish between auth and auth (if you get what I mean ;-) ) - if only we could send Service-Type from the device... alan
On 8/7/09 12:39, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
authorize { if((User-Name == User-Password)&& %{ldap:etc...}){ update control { Auth-Type := 'NULL' } } else { // Authentication modules } }
Auth-Type NULL { ok }
this is pretty uch what is already on the system - the trouble then is that people can then just login by using any account so long as the password is the same value
eg
hacker hacker
they dont even need a valid account to actually authenticate.
Well the LDAP string expansion should make sure the account is actually valid... But you could use the LDAP module and check the return codes to do the same thing.
what we need is for the X=Y to work for authorise and then not give a damn about authentication - but, as said, looks like we cannot distinguish between auth and auth (if you get what I mean ;-) ) - if only we could send Service-Type from the device...
Listen on multiple interfaces and use the packet destination IP attribute with Unlang to determine policy? Then point the different services at the different IP addresses ? Arran -- Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
Hi,
Listen on multiple interfaces and use the packet destination IP attribute with Unlang to determine policy? Then point the different services at the different IP addresses ?
currently this is what we are looking at - a new virtual server on a different port that does the authorisation job only. its a little natty but seems the best way :-| alan
On 8/7/09 13:20, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Listen on multiple interfaces and use the packet destination IP attribute with Unlang to determine policy? Then point the different services at the different IP addresses ?
currently this is what we are looking at - a new virtual server on a different port that does the authorisation job only.
its a little natty but seems the best way :-|
Can't you bind the same virtual server to multiple IPs? Less duplication... Arran -- Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
we have a system that we've been done plain authorizations via FreeRADIUS - the device sends the following RADIUS request
username: userid password: userid
(ie the system sends the username and makes the password the same)
okay. fair enough....a bit of unlang and a check that if the username = password then set the Auth-Type to something false et voila. all okay.
it has now been decided to also do authentication via RADIUS and this is where things get messy.
by removing the Auth-Type kludge, we can successfully authenticate a real user with their real password.... however, the authorization now fails because the device still sends username/password with the password the same as the username - this now hits the FreeRADIUS server which cannot find a valid Auth-Type for the user and thus fails authentication and therefore sends back a 'blurgh' to the box requesting authorization.
this is to be expected because there is nothing in the request to distoniguish between an authorization request and an authentication request.
so the question is, how do we handle this so that the system can send a username=password for authorization AND a proper authentication can happen WITHOUT (hers a gotcha) the user doing something cute like putting their username in as their password! ;-)
Send Service-Type = Authorize-Only in authorization request. Then you can distinguish between the requsts. Or do authorization in the same time as authentication. Without opening a major security hole. You can set Auth-Type to Accept if User-Name = User-Password in the request but that would enable anyone to log in knowing just username. Ivan Kalik Kalik Informatika ISP
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Ivan Kalik