Active Directory and authorize section

schilling schilling2006 at gmail.com
Wed Feb 2 16:38:41 CET 2011


I was thinking about this too. Do we need separate ldap call to retrieve
certain attributes from AD, and then use ntlm_auth for authentication?

Schilling

On Wed, Feb 2, 2011 at 10:23 AM, Brett Littrell <Blittrell at musd.org> wrote:

>  Hey Brian,
>
>     Very interesting, I would have thought Authenticate came first then
> Authorize since you need to authenticate in order to be authorized.  If that
> is the case and say you pull the vlan ids from ldap, or some other
> directory, how would Freeradius know what those values are prior to knowing
> who you are?   Or are you saying that the way the program loads the config
> the authorize section simply gets read first?
>
>  Brett Littrell
> Network Manager
> MUSD
> CISSP, CCSP, CCVP, MCNE
>
>
> >>> On Wednesday, February 02, 2011 at 12:05 AM, in message <
> 20110202080557.GA2368 at talktalkplc.com>, Brian Candler <B.Candler at pobox.com>
> wrote:
>   I'd say that's not exactly true, or is not very clear anyway.
>
> (1) freeradius always runs the authorize section first, then then
> authenticate section
>
> (2) the authorize section is where you do any sort of database lookups
> needed, both to determine the reply attributes to send (in case the user
> does authenticate successfully), and at the same time to find any
> information needed to perform user authentication, such as the expected
> password (Cleartext-Password in the control list)
>
> (3) the authenticate section normally uses that extra info to perform the
> authentication. If it fails, the reply attributes are stripped out and a
> reject is sent.
>
> Using ntlm_auth is a special case, in that it can authenticate without
> knowing the password: it delegates the whole authentication to a different
> database.
>
> That's fine, but if you don't have anything in your authorize section then
> you'll just be sending back an empty "Access-Accept" without any reply
> attributes.  In some applications this may be sufficient.
>
> This sort of delegation is rather like proxying, and indeed, you can run
> IAS
> on your AD box and just proxy to it.
>
> IAS has a limitation of 50 RADIUS client IPs (unless you have Windows
> Server
> Enterprise edition), but fortunately each freeradius server you put in
> front
> of it only counts as one client :-)
>
> Regards,
>
> Brian.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110202/e046c5dc/attachment.html>


More information about the Freeradius-Users mailing list