Active Directory and authorize section
Brett Littrell
Blittrell at musd.org
Tue Feb 1 23:33:33 CET 2011
Hi Harry,
So this is the way I understand it.
The authenticate section is used to just verify that you are who you are, via certs, username/password, token etc. The authorize section is where you define the sources for all the information you want FR to respond to. So to just authenticate someone you would just need the authenticate section but if you wanted FreeRadius to assign a user to a specific vlan then you need to configure where that information is coming from which is defined in the authorize section.
For example, and this is a guess because I have never tried it. You can have AD as the authenticator in the authenticate section then have "local" in the authorization section. The AD makes sure Harry is Harry, if there is a user name Harry in the Local user file with information on what vlan he belongs to then it will send that information to the switch/router or what have you. Usually you set the Authenticate and authorize to the same servers though so the authenticate server pushes down the info for authorization as well.
Anyway, I hope that helps and I am not giving you bad info:)
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
>>> On Tuesday, February 01, 2011 at 1:07 PM, in message <1296594437.13427.45.camel at localhost.localdomain>, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
Right, I do understand the distinction which is why I asked the
question.
I didn't know if the tutorial just assumed everyone was authorized and
then granted access as long as the userid/password matched AD or if
there's something missing that should be addressed in authorize.
Cheers,
Harry
On Tue, 2011-02-01 at 20:48 +0000, Alan Buxey wrote:
> Hi,
>
> > I'm trying to find out what to use (if anything) in the authorize
> > section when authenticating clients via MSCHAP-v2 and AD credentials.
> >
> > The how-to at deployingradius.com only speaks to the authentication
> > section.
> >
> > If I only want to ensure that the username/password credentials are
> > valid do I need to run through authorize or just go straight to
> > authenticate?
>
> authorise - CAN i use the network
>
> authenticate - is my ID and password correct
>
>
> once you get that and understand the very clear difference, then you can decide
> if you want to deal with authorise - and how to deal with it.
>
> alan
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110201/d6b891fd/attachment.html>
More information about the Freeradius-Users
mailing list