Active Directory and authorize section

Brett Littrell Blittrell at musd.org
Wed Feb 2 16:23:39 CET 2011


Hey Brian,
 
    Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized.  If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are?   Or are you saying that the way the program loads the config the authorize section simply gets read first?
 
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE


>>> On Wednesday, February 02, 2011 at 12:05 AM, in message <20110202080557.GA2368 at talktalkplc.com>, Brian Candler <B.Candler at pobox.com> wrote:

I'd say that's not exactly true, or is not very clear anyway.

(1) freeradius always runs the authorize section first, then then
authenticate section

(2) the authorize section is where you do any sort of database lookups
needed, both to determine the reply attributes to send (in case the user
does authenticate successfully), and at the same time to find any
information needed to perform user authentication, such as the expected
password (Cleartext-Password in the control list)

(3) the authenticate section normally uses that extra info to perform the
authentication. If it fails, the reply attributes are stripped out and a
reject is sent.

Using ntlm_auth is a special case, in that it can authenticate without
knowing the password: it delegates the whole authentication to a different
database.

That's fine, but if you don't have anything in your authorize section then
you'll just be sending back an empty "Access-Accept" without any reply
attributes.  In some applications this may be sufficient.

This sort of delegation is rather like proxying, and indeed, you can run IAS
on your AD box and just proxy to it.

IAS has a limitation of 50 RADIUS client IPs (unless you have Windows Server
Enterprise edition), but fortunately each freeradius server you put in front
of it only counts as one client :-)

Regards,

Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110202/23ee3721/attachment.html>


More information about the Freeradius-Users mailing list