Active Directory and authorize section
Brian Candler
B.Candler at pobox.com
Wed Feb 2 09:05:57 CET 2011
On Tue, Feb 01, 2011 at 02:33:33PM -0800, Brett Littrell wrote:
> The authenticate section is used to just verify that you are who
> you are, via certs, username/password, token etc. The authorize
> section is where you define the sources for all the information you
> want FR to respond to.
I'd say that's not exactly true, or is not very clear anyway.
(1) freeradius always runs the authorize section first, then then
authenticate section
(2) the authorize section is where you do any sort of database lookups
needed, both to determine the reply attributes to send (in case the user
does authenticate successfully), and at the same time to find any
information needed to perform user authentication, such as the expected
password (Cleartext-Password in the control list)
(3) the authenticate section normally uses that extra info to perform the
authentication. If it fails, the reply attributes are stripped out and a
reject is sent.
Using ntlm_auth is a special case, in that it can authenticate without
knowing the password: it delegates the whole authentication to a different
database.
That's fine, but if you don't have anything in your authorize section then
you'll just be sending back an empty "Access-Accept" without any reply
attributes. In some applications this may be sufficient.
This sort of delegation is rather like proxying, and indeed, you can run IAS
on your AD box and just proxy to it.
IAS has a limitation of 50 RADIUS client IPs (unless you have Windows Server
Enterprise edition), but fortunately each freeradius server you put in front
of it only counts as one client :-)
Regards,
Brian.
More information about the Freeradius-Users
mailing list