Authentication Before Authorization
Russell Mike
radius.sir at gmail.com
Fri Sep 26 17:23:29 CEST 2014
Wonderful !! quality of information was superb. Understood !!
Thanks / Regards
RM --
On Fri, Sep 26, 2014 at 2:58 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> Russell Mike wrote:
> > i wish to process authentication section before authorization & then
> > accounting. We want to authenticate CPE (Motorola SM) using EAP
> > (working) and then authorize using MAC address from a database. if not
> > found, redirect to a URL.
>
> That can be done in the post-auth section. EAP uses multiple round
> trips, so you *don't* want to be looking up the MAC in the DB for every
> packet. Once is good enough.
>
> You can just put a SELECT statement into post-auth:
>
> post-auth {
> ...
>
> if ("%{sql:SELECT ...}") {
> # found
> }
> else {
> # re-direct to URL ???
> }
> ...
> }
>
>
> Put the MAC into a table by itself. There's no need to use the
> standard FreeRADIUS schema. A simpler one can be simpler.
>
> And RADIUS doesn't do URL redirection. The AP has to support that.
> So if the AP documentation doesn't say it does URL redirection... it's
> not possible.
>
> That's what hotspots are for. They can do IP layer filtering and
> redirection. It's impossible to do that in standard RADIUS.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140926/3823ff54/attachment.html>
More information about the Freeradius-Users
mailing list