want to authorise but not authenticate
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Wed Jul 8 13:57:09 CEST 2009
On 8/7/09 12:39, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> authorize {
>> if((User-Name == User-Password)&& %{ldap:etc...}){
>> update control {
>> Auth-Type := 'NULL'
>> }
>> }
>> else {
>> // Authentication modules
>> }
>> }
>>
>>
>> Auth-Type NULL {
>> ok
>> }
>
> this is pretty uch what is already on the system - the trouble then is that
> people can then just login by using any account so long as the password
> is the same value
>
> eg
>
> hacker
> hacker
>
> they dont even need a valid account to actually authenticate.
>
Well the LDAP string expansion should make sure the account is actually valid... But you could use the LDAP module and check the return codes to do the same thing.
> what we need is for the X=Y to work for authorise and then
> not give a damn about authentication - but, as said, looks like
> we cannot distinguish between auth and auth (if you get what
> I mean ;-) ) - if only we could send Service-Type from the device...
Listen on multiple interfaces and use the packet destination IP attribute with Unlang to determine policy? Then point the different services at the different IP addresses ?
Arran
--
Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
More information about the Freeradius-Users
mailing list