General question about authentication/authorization

Fri Mar 17 16:47:27 CET 2006

Thank you for your answer,

I try to specify my problem mor clearly.

Phil Mayers wrote:

> Florian Prester wrote:
>
>> Hi,
>>
>> 1.) in the users-file, I can only check for attributes provided by 
>> the request - correct?
>
>
> I think so

ok

>
>> 2.) in the users-file, if an entry matches all check-attributes, I 
>> can specify an Auth/Autz-Type - correct?
>
>
> yes

ok

>
>> 3.) in the users-file, if I do not specify the Auth/Autz-Type the 
>> radius is taken the requested Type automatically - correct?
>
>
> Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules 
> set Auth-Type based on the incoming requests e.g. the "mschap" modules 
> sets Auth-Type=MS-CHAP if the mschap attributes are in the request. 
> Ditto the "chap" and "eap" modules. "pap" is a bit more complex and 
> has changed in CVS head.
>
> Generally, you should not set Auth-Type in the users file. It's a sign 
> you're doing something wrong. Perhaps if you told us what you're 
> trying to do?

ok

>
>> 4.) Authentication is comparing a password - correct?
>
>
> Not necessarily. If it's a PAP request, it's possible to check the 
> plaintext password in the request by straight comparison, hashes 
> comparison, or callout to another system (LDAP, PAM)
>
> Other authentication mechanisms may perform cryptographic operations 
> on passwords at the server and challenges from the NAS to generate the 
> servers idea of the correct response and compare it to the 
> client-supplied response (chap, mschap). Others still may reply to the 
> NAS with a server-generated challenge (EAP).

ok

>
>> 5.) Authorization is even if a password is correct, the user may not 
>> use/do something - correct?
>
>
> No. That's the common meaning. The "authorize" section in FreeRadius 
> is something else. Please read doc/aaa.txt

 >> so, AFAIK authorization is retreiving user-information from a source?

>
>> 6.) Authorization is done by providing appropriate reply-attributes - 
>> correct?
>
>
> If you mean "user is OK, can/can't do something"-type "authorization", 
> then yes some NASes can do that based on attributes in the radius reply.
>
>>
>> Now the big question:
>> If I have an user who is authenticate, meaning correct username + 
>> password whereas the password is stored in LDAP.
>> I want to replay attributes according th some other information 
>> stored in LDAP - how can I do such a thing, like:
>> IF ldap-attribute::xy == valid_1 THEN RETURN ldap-attribute::IP-good,
>> ELSIF dap-attribute::xy == valid_2 THEN RETURN 
>> ldap-attribute::IP-better,
>> ELSE RETURN ldap-attribute::IP-bad
>
>
> I don't understand that I'm afraid. I think that's because your 
> question is based on faulty assumptions about the meaning of 
> FreeRadius "authorize" and "authenticate" sections. Please have a look 
> at the docs.
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

ok, lets assume a user can authenticate because he/she supplys a valid 
username/password e.g. using PAP. Now the user is authenticated.
But I want to allow access to something not only if the user is 
authenticated, but also if a given attribute is present in the users 
ldap enty.
How can I do that?

Thanks
Florian

-- 
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Martensstr. 1
91052 Erlangen
Germany

Tel.: +499131 8527813