Active Directory and authorize section

Maiquel Consalter maiquelconsalter at gmail.com
Wed Feb 2 21:44:51 CET 2011


2011/2/2 Brett Littrell <Blittrell at musd.org>

>  Hi Brian,
>
>     Thanks for explaining that, guess that makes sense for performance,
> load all the info right away and just wait for authentication to complete
> before sending from memory and not doing another query.
>
>     Sorry, did not mean to derail this thread but I a appreciate the
> insight.
>
>  Brett Littrell
> Network Manager
> MUSD
> CISSP, CCSP, CCVP, MCNE
>
>
> >>> On Wednesday, February 02, 2011 at 9:01 AM, in message <
> 20110202170140.GA12067 at talktalkplc.com>, Brian Candler <
> B.Candler at pobox.com> wrote:
>   On Wed, Feb 02, 2011 at 07:23:39AM -0800, Brett Littrell wrote:
> >        Very interesting, I would have thought Authenticate came first
> then
> >    Authorize since you need to authenticate in order to be authorized.
>
> The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is
> both a request for authentication and authorization.  An Access-Reject
> could
> mean either that you weren't authenticated, or that you're not authorized
> for the service you wanted.
>
> FreeRADIUS runs boths sections of its config before sending the reply,
> because generally authentication needs some data to authenticate, and that
> data normally comes from the same place as the authorization data.
>
> >    If
> >    that is the case and say you pull the vlan ids from ldap, or some
> other
> >    directory, how would Freeradius know what those values are prior to
> >    knowing who you are?
>
> It knows who you *claim* to be (User-Name), so can use that to look up the
> reply attributes.  It doesn't know you actually *are* that person yet, but
> it won't send back an Access-Accept until it does.
>
> >    Or are you saying that the way the program loads
> >    the config the authorize section simply gets read first?
>
> The authorize section gets executed first; I don't think it makes any
> difference what order you put them in the config file.
>
> Regards,
>
> Brian.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Att,
Maiquel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110202/a0e7db72/attachment.html>


More information about the Freeradius-Users mailing list