Authorization in RADIUS, Authorization in freeradius

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Sun Sep 2 19:39:17 CEST 2007 

Alan DeKok wrote:
> George Beitis wrote:
>   
>> thank you for your reply.  I am writing up a part of my dissertation and
>> I 'm referring to freeradius and the RADIUS protocol trying to explain
>> how it works.
>>     
>
>   By accident, mostly.  Like many practical systems, it was built to do
> something first, and to have theoretical rigor second.
>
>   
>>  From my research most people who use RADIUS for
>> authentication purposes.  Noone gives a clear image of whether or not
>> they use it for authorization once they established authentication, so
>> in other words authentication and authorization become one the same.
>>     
>
>   If the user hasn't been authenticated, he's likely not authorized to
> do anything.  So yes, an "authentication succeeded" message most often
> includes statements of "you are authorized to do X, Y, and Z".
>   
However authentication is just the validation of a identity. The user 
may have multiple identities , any of which could be used to 
authenticate them.
For example a user connecting physically to a network has already 
established one identity; that of an on-site user.

We haven't used any fancy directory lookups to establish this; we just 
know that the packet has come from one of our NAS's, and we trust the 
NAS not to lie, so thats enough.

Now normally the fact that the users on site, isn't enough to authorise 
them for any services, which is where the second level of authentication 
comes in.

If the computer is being Authenticated (and mac based authentication is 
being used) , then the mac will be looked up in a directory of some sort 
(whether it be a flat file, a LDAP directory or an SQL db), and thats 
generally it.
The NAS, discovers the physical address of the device connected to it; 
It trusts the device to use the correct physical address (a pretty poor 
thing to trust), and the RADIUS server trusts the NAS.

If a user is being authenticated, many different schemes can be used. 
The most cryptographically secure method is EAP-TLS which relies on an 
exchange of certificates (if you want to know more, read up on public 
key encryption).  Each party will validate the certificate against the 
rootCA which issued it, and that'll be enough to A) Certify that the 
server, is what it claims to be , and B) The Supplicant is who it claims 
to be.

Now I mentioned earlier that just being on site is sometimes enough for 
authorisation to take place. Here we authorise anyone who fails later 
stages of authentication to use our support service.
So even though they fail to authenticate either as a known user or a 
known computer, they still get access to some resources, as they've been 
authenticated as being an on campus user.

So really the 'Authenticate' section in FreeRADIUS is one of those 
notional things, put there to help people understand whats going on.

Completely off topic, whats the plaural of NAS ?

I assume it's NAS's.

Thats apostrophe lowercase s


hmm reccon it would be a good idea to start a disambiguation page on the wiki ?

>   
>>  Do
>> you know of any products that can be used with freeradius to provide
>> such authorization facilities?  Using perhaps policies?
>>     
>
>   FreeRADIUS *does* implement policies which provide authorization
> facilities.
>
>   Perhaps you meant to ask another question?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list