want to authorise but not authenticate

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Wed Jul 8 11:19:56 CEST 2009


hi,

heres one for a wednesday morning. 


we have a system that we've been done plain authorizations
via FreeRADIUS - the device sends the following RADIUS request

username: userid
password: userid

(ie the system sends the username and makes the password the same)

okay. fair enough....a bit of unlang and a check that if the username = password
then set the Auth-Type to something false et voila. all okay.


it has now been decided to also do authentication via RADIUS
and this is where things get messy.


by removing the Auth-Type kludge, we can successfully authenticate
a real user with their real password.... however, the authorization
now fails because the device still sends username/password with
the password the same as the username - this now hits the
FreeRADIUS server which cannot find a valid Auth-Type for the user
and thus fails authentication and therefore sends back a 'blurgh'
to the box requesting authorization.

this is to be expected because there is nothing in the request to 
distoniguish between an authorization request and an authentication
request.

so the question is, how do we handle this so that the system can
send a username=password for authorization AND a proper authentication
can happen WITHOUT (hers a gotcha) the user doing something cute
like putting their username in as their password! ;-)

alan



More information about the Freeradius-Users mailing list