[EXTERNAL] Re: Can we get success response in other servers ?

Winfield, Alister Alister.Winfield at sky.uk
Tue Jul 24 13:47:04 CEST 2018

Here I think is a standard misconception about how RADIUS works. It is not a protocol with many defined outcomes it’s a protocol for transporting attributes between clients and servers to allow the three A's in AAA.

RADIUS is not something that knows anything about the clients expectations with respect to outcomes. For this you have to read the clients manuals (not the servers).

In most cases the right approach is:

Read and understand your clients capabilities and attributes that it sends to the RADIUS service and what attributes it will accept in the response. Work out what attributes you need to get the outcome desired. In many cases testing this is done by setting up a simple server and placing a single entry into the users file changing the exact reply one step at a time until its completely understood what the clients behaviour is.

Use what is in the attributes sent during authentication to decide 'who' is asking to be authenticated. From the "who" add attributes to the reply which when interpreted by the client will have the desired outcome (authorisation). The mechanism for working out who and the adding of attributes to the reply is what the FreeRADIUS policy defines. If something isn't sent by the client it’s the clients problem, if the client doesn't understand the response its either because the attribute is wrong or the client doesn't support the attribute you are sending .... read the clients documentation !

If you know how the 'who' part is solved and then how that maps onto the response then and only then try to build a policy to implement it.

So to roles.... go find the clients documentation, lookup the RADIUS configuration and see if it says anything about roles (potentially implemented by using groups). If it does, do what it says. If, however, it doesn't then you have to use a different solution. In that case RADIUS might still be used for 'authentication' but not for assigning a 'role'. (Note I don't know the answer in this case never used the RADIUS implementation in nginx.)

Note: Not mentioned accounting here which is often a worse pain given how many vendors don't understand simple concepts like 'stateless'.


On 24/07/2018, 12:02, "Freeradius-Users on behalf of Mallikarjuna Peddappanavara Karibasappa" <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on behalf of mallikarjuna.peddappanavara at igrid-td.com> wrote:

    I'm implementing freeradius client in nginx web server, As of now I can
    able authenticate the users in radius server. Now I need to assign roles to
    the users in freeradius server. When a particular user is authenticated in
    freeradius server then I need to get that user role of that particular user
    in my nginx server.
    I'm struck with the issue that I'm not able to add user roles in freeradius
    Is it possible to set user roles and get that user roles ?

    Thank you,

    Best Regards,*Mallikarjuna PK*Email: mallikarjuna.peddappanavara at igrid-td.com
    Mobile: +91-9535744695

    On 24 July 2018 at 16:24, Alan DeKok <aland at deployingradius.com> wrote:

    > On Jul 24, 2018, at 5:51 AM, Mallikarjuna Peddappanavara Karibasappa <
    > mallikarjuna.peddappanavara at igrid-td.com> wrote:
    > > After successful authentication of user in freeradius server, can we get
    > > this below success response in other servers like nginx or apache ?
    >   What does that mean?
    >   FreeRADIUS will talk RADIUS to any RADIUS client.
    >   Please describe in *detail* what you want to do.
    >   Alan DeKok.
    > -
    > List info/subscribe/unsubscribe? See http://www.freeradius.org/
    > list/users.html
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
    This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing at sky.uk as attachments. Thank you

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

More information about the Freeradius-Users mailing list