want to authorise but not authenticate

Ivan Kalik tnt at kalik.net
Wed Jul 8 11:35:04 CEST 2009


> we have a system that we've been done plain authorizations
> via FreeRADIUS - the device sends the following RADIUS request
>
> username: userid
> password: userid
>
> (ie the system sends the username and makes the password the same)
>
> okay. fair enough....a bit of unlang and a check that if the username =
> password
> then set the Auth-Type to something false et voila. all okay.
>
>
> it has now been decided to also do authentication via RADIUS
> and this is where things get messy.
>
>
> by removing the Auth-Type kludge, we can successfully authenticate
> a real user with their real password.... however, the authorization
> now fails because the device still sends username/password with
> the password the same as the username - this now hits the
> FreeRADIUS server which cannot find a valid Auth-Type for the user
> and thus fails authentication and therefore sends back a 'blurgh'
> to the box requesting authorization.
>
> this is to be expected because there is nothing in the request to
> distoniguish between an authorization request and an authentication
> request.
>
> so the question is, how do we handle this so that the system can
> send a username=password for authorization AND a proper authentication
> can happen WITHOUT (hers a gotcha) the user doing something cute
> like putting their username in as their password! ;-)

Send Service-Type = Authorize-Only in authorization request. Then you can
distinguish between the requsts. Or do authorization in the same time as
authentication.

Without opening a major security hole. You can set Auth-Type to Accept if
User-Name = User-Password in the request but that would enable anyone to
log in knowing just username.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list