General question about authentication/authorization
Alan DeKok
aland at ox.org
Fri Mar 17 17:24:32 CET 2006
Florian Prester <Florian.Prester at rrze.uni-erlangen.de> wrote:
> 1.) in the users-file, I can only check for attributes provided by the
> request - correct?
Yes.
> 2.) in the users-file, if an entry matches all check-attributes, I can
> specify an Auth/Autz-Type - correct?
Yes.
> 3.) in the users-file, if I do not specify the Auth/Autz-Type the
> radius is taken the requested Type automatically - correct?
Sort of. The type may be set from another module.
> 4.) Authentication is comparing a password - correct?
No. Authentication is validating credentials. e.g. an EAP-TLS
client certificate. No password is required.
> 5.) Authorization is even if a password is correct, the user may not
> use/do something - correct?
Yes.
> 6.) Authorization is done by providing appropriate reply-attributes -
> correct?
Sort of.
Since there are multiple machines involved, there are multiple kinds
of authorization. The server may decide you're not authorized to use
that NAS, and reject you. Or, it may decide you're authorized, but
you're only authorized to do certain things. So it returns reply
attributes that tell the NAS to apply authorization rules. The NAS
may then decide it doesn't like the servers response, and stil reject you.
> I want to replay attributes according th some other information stored
> in LDAP - how can I do such a thing, like:
> IF ldap-attribute::xy == valid_1 THEN RETURN ldap-attribute::IP-good,
> ELSIF dap-attribute::xy == valid_2 THEN RETURN ldap-attribute::IP-better,
> ELSE RETURN ldap-attribute::IP-bad
Hmm... the first thing that comes to mind is the Perl module.
Alan DeKok.
More information about the Freeradius-Users
mailing list