Freeradius and Role based access control
Sorry, this is a bit of a newbie question, but something I have been trying to work out for a while IEC 62351 specifies that access permission to a device is based on the authentication of the user and also the role(s) associated with that user. To allow us to use RADIUS to authenticate an access request, we would the radius server to authenticate both the user name password, but also whether the the user has the rights to the role requested. Their does not seem to be any obvious attribute to pass requested role information to a freeradius server, so what is generally the merthod to implement Role Based access control via Radius?
On Nov 2, 2017, at 11:46 AM, Tony Pedley <tpedley@gmail.com> wrote:
IEC 62351 specifies that access permission to a device is based on the authentication of the user and also the role(s) associated with that user.
What "role" is associated with the user? i.e. What is inside of a *RADIUS* packet, that tells you what the users "role" is?
To allow us to use RADIUS to authenticate an access request, we would the radius server to authenticate both the user name password, but also whether the the user has the rights to the role requested. Their does not seem to be any obvious attribute to pass requested role information to a freeradius server,
That's the issue. And no, it's not a FreeRADIUS issue. It's a NAS issue.
so what is generally the merthod to implement Role Based access control via Radius?
Does the NAS send the role in a RADIUS attribute? a) yes - you can do role-based enforcement b) no, you can't do role-based enforcement. And what NAS are you using? What larger use-case is going on? Knowing some more details might help. Alan DeKok.
participants (2)
-
Alan DeKok -
Tony Pedley