using different LDAP queries to authorize for different services
Alan DeKok
aland at deployingradius.com
Thu Apr 3 22:17:18 CEST 2008
Sylvain Robitaille wrote:
> I apologize if I'm seeming dense, or leaving the impression that I
> haven't read documentation that you've already pointed me at. I *have*
> read that documentation, but I think the problem is that I'm struggling
> to wrap my head around the details, perhaps because it seems that not
> only are there many options, but there seem to be indeed several ways
> that the same result *might* be achieved.
There is functionality in the server that's historical. The new
"unlang" is generally preferred for anything resembling a complex
configuration.
> Ok, I think I see it now. The debug output from the inner-tunnel starts
> here then?
Yes. EAP-TTLS does PAP inside of a Diameter AVP inside of a TLS
tunnel, which is encapsulated in the TTLS EAP method, which is
encapsulated inside of a RADIUS EAP-Message attribute, which goes into a
RADIUS packet, over UDP, IP, and Ethernet.
See? Nothing could be simpler. <umm..>
> Well, I'm trying these options and configurations because I do really
> want to accomplish the result I'm after. That I've been doing it all
> wrong is simply an indication that I *still* haven't understood the way
> the server functions. I promise that it isn't because I'm not trying. :-(
EAP-TTLS sets up a TLS tunnel between the server and the end machine
(XP, Linux, etc.). It then does a normal authentication request inside
of the tunnel. But since the NAS can't see inside of the tunnel, there
are no NAS attributes inside of the tunnel.
> Hrmmm... I just spotted why I didn't understand that previously from
> "man unlang", but rather needed you to explain it to me directly:
..
> It talks about being able to *update* items in the outer request
In the documentation about the "update" section.
The later documentation about attribute references says you can make
references to lists...
> I'd offer to patch the documentation to make it clear that the
> inner-tunnel can reference *attributes* from the outer request using
> "outer.Attribute-Name", but it seems despite all I've learned from all
> of these experiments and from the help I've gotten on the mailing list, I
> have only scratched the surface of what there is to know about FreeRadius,
> and I would likely write yet more partially-correct-at-best third-party
> documentation that folks really shouldn't follow. :-(
I'm trying to write a book, honest. I think I should probably just
give up, and put the 200 pages I have up on the net for review.
> Once again, thanks for ALL the help. I think I now have everything I
> need to do exactly what I want.
See? It's easy... just run into a couple of bugs, bang your head
against the wall, and you've got it made...
Alan DeKok.
More information about the Freeradius-Users
mailing list