General question about authentication/authorization

Phil Mayers p.mayers at imperial.ac.uk
Fri Mar 17 16:01:20 CET 2006 

Florian Prester wrote:
> Hi,
> 
> 1.) in the users-file, I can only check for attributes provided by the 
> request - correct?

I think so

> 2.) in the users-file, if an entry matches all check-attributes, I can 
> specify an Auth/Autz-Type - correct?

yes

> 3.) in the users-file, if I do not specify the Auth/Autz-Type the radius 
> is taken the requested Type automatically - correct?

Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set 
Auth-Type based on the incoming requests e.g. the "mschap" modules sets 
Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the 
"chap" and "eap" modules. "pap" is a bit more complex and has changed in 
CVS head.

Generally, you should not set Auth-Type in the users file. It's a sign 
you're doing something wrong. Perhaps if you told us what you're trying 
to do?

> 4.) Authentication is comparing a password - correct?

Not necessarily. If it's a PAP request, it's possible to check the 
plaintext password in the request by straight comparison, hashes 
comparison, or callout to another system (LDAP, PAM)

Other authentication mechanisms may perform cryptographic operations on 
passwords at the server and challenges from the NAS to generate the 
servers idea of the correct response and compare it to the 
client-supplied response (chap, mschap). Others still may reply to the 
NAS with a server-generated challenge (EAP).

> 5.) Authorization is even if a password is correct, the user may not 
> use/do something - correct?

No. That's the common meaning. The "authorize" section in FreeRadius is 
something else. Please read doc/aaa.txt

> 6.) Authorization is done by providing appropriate reply-attributes - 
> correct?

If you mean "user is OK, can/can't do something"-type "authorization", 
then yes some NASes can do that based on attributes in the radius reply.

> 
> Now the big question:
> If I have an user who is authenticate, meaning correct username + 
> password whereas the password is stored in LDAP.
> I want to replay attributes according th some other information stored 
> in LDAP - how can I do such a thing, like:
> IF ldap-attribute::xy == valid_1 THEN RETURN ldap-attribute::IP-good,
> ELSIF dap-attribute::xy == valid_2 THEN RETURN ldap-attribute::IP-better,
> ELSE RETURN ldap-attribute::IP-bad

I don't understand that I'm afraid. I think that's because your question 
is based on faulty assumptions about the meaning of FreeRadius 
"authorize" and "authenticate" sections. Please have a look at the docs.

More information about the Freeradius-Users mailing list