Authentication Before Authorization
Alan DeKok
aland at deployingradius.com
Fri Sep 26 16:58:19 CEST 2014
Russell Mike wrote:
> i wish to process authentication section before authorization & then
> accounting. We want to authenticate CPE (Motorola SM) using EAP
> (working) and then authorize using MAC address from a database. if not
> found, redirect to a URL.
That can be done in the post-auth section. EAP uses multiple round
trips, so you *don't* want to be looking up the MAC in the DB for every
packet. Once is good enough.
You can just put a SELECT statement into post-auth:
post-auth {
...
if ("%{sql:SELECT ...}") {
# found
}
else {
# re-direct to URL ???
}
...
}
Put the MAC into a table by itself. There's no need to use the
standard FreeRADIUS schema. A simpler one can be simpler.
And RADIUS doesn't do URL redirection. The AP has to support that.
So if the AP documentation doesn't say it does URL redirection... it's
not possible.
That's what hotspots are for. They can do IP layer filtering and
redirection. It's impossible to do that in standard RADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list