authentication != authorization

[Erik Norgaard]

Hi:

I currently use freeradius 2.1.6 for authentication on my Wlan with 
WPA2-EAP-TLS. Now, I'd like to deploy multiple policies and 
authentication methods.

As I use freeradius now, an authenticated user is authorized to 
whatever. I'd like to be able to differenciate this authorization such 
that, i.e. some users have full access, while other users have 
restricted access and others have no access even if authenticated 
successfully.

Is there some way of having freeradius call a script or connect to some 
service, submitting the user authentication details and ip/mac address 
such that access can be granted according to the user privileges?

More precisely, I'd like to deploy the following policies:

a. If a user authenticates with a certificate I issued, I trust them 
with full access.

b. If the user authenticates with a foreign trusted certificate I will 
grant web/mail access

c. If the user authenticates with a temporal password, time limited 
access is granted to web/mail access

d. If the user fails to authenticate, any web access is redirected to a 
web page explaining how to configure the system or request access

So, even failure to authenticate should result in some sort of guest 
authentication without privileges.

Regarding c, how can I manage temporal accounts?

Thanks, Erik


-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org