[EXTERNAL] Re: Can we get success response in other servers ?

Mallikarjuna Peddappanavara Karibasappa mallikarjuna.peddappanavara at igrid-td.com
Tue Jul 24 13:53:36 CEST 2018

Thanks for your inputs Alister.

Thank you,

Best Regards,*Mallikarjuna PK*Email: mallikarjuna.peddappanavara at igrid-td.com
Mobile: +91-9535744695

On 24 July 2018 at 17:17, Winfield, Alister <Alister.Winfield at sky.uk> wrote:

> Here I think is a standard misconception about how RADIUS works. It is not
> a protocol with many defined outcomes it’s a protocol for transporting
> attributes between clients and servers to allow the three A's in AAA.
> RADIUS is not something that knows anything about the clients expectations
> with respect to outcomes. For this you have to read the clients manuals
> (not the servers).
> In most cases the right approach is:
> Read and understand your clients capabilities and attributes that it sends
> to the RADIUS service and what attributes it will accept in the response.
> Work out what attributes you need to get the outcome desired. In many cases
> testing this is done by setting up a simple server and placing a single
> entry into the users file changing the exact reply one step at a time until
> its completely understood what the clients behaviour is.
> Use what is in the attributes sent during authentication to decide 'who'
> is asking to be authenticated. From the "who" add attributes to the reply
> which when interpreted by the client will have the desired outcome
> (authorisation). The mechanism for working out who and the adding of
> attributes to the reply is what the FreeRADIUS policy defines. If something
> isn't sent by the client it’s the clients problem, if the client doesn't
> understand the response its either because the attribute is wrong or the
> client doesn't support the attribute you are sending .... read the clients
> documentation !
> If you know how the 'who' part is solved and then how that maps onto the
> response then and only then try to build a policy to implement it.
> So to roles.... go find the clients documentation, lookup the RADIUS
> configuration and see if it says anything about roles (potentially
> implemented by using groups). If it does, do what it says. If, however, it
> doesn't then you have to use a different solution. In that case RADIUS
> might still be used for 'authentication' but not for assigning a 'role'.
> (Note I don't know the answer in this case never used the RADIUS
> implementation in nginx.)
> Note: Not mentioned accounting here which is often a worse pain given how
> many vendors don't understand simple concepts like 'stateless'.
> Alister
> On 24/07/2018, 12:02, "Freeradius-Users on behalf of Mallikarjuna
> Peddappanavara Karibasappa" <freeradius-users-bounces+alister.winfield=
> sky.uk at lists.freeradius.org on behalf of mallikarjuna.peddappanavara@
> igrid-td.com> wrote:
>     I'm implementing freeradius client in nginx web server, As of now I can
>     able authenticate the users in radius server. Now I need to assign
> roles to
>     the users in freeradius server. When a particular user is
> authenticated in
>     freeradius server then I need to get that user role of that particular
> user
>     in my nginx server.
>     I'm struck with the issue that I'm not able to add user roles in
> freeradius
>     server.
>     Is it possible to set user roles and get that user roles ?
>     Thank you,
>     Best Regards,*Mallikarjuna PK*Email: mallikarjuna.peddappanavara@
> igrid-td.com
>     Mobile: +91-9535744695
>     On 24 July 2018 at 16:24, Alan DeKok <aland at deployingradius.com>
> wrote:
>     > On Jul 24, 2018, at 5:51 AM, Mallikarjuna Peddappanavara Karibasappa
> <
>     > mallikarjuna.peddappanavara at igrid-td.com> wrote:
>     > > After successful authentication of user in freeradius server, can
> we get
>     > > this below success response in other servers like nginx or apache ?
>     >
>     >   What does that mean?
>     >
>     >   FreeRADIUS will talk RADIUS to any RADIUS client.
>     >
>     >   Please describe in *detail* what you want to do.
>     >
>     >   Alan DeKok.
>     >
>     >
>     > -
>     > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>     > list/users.html
>     -
>     List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>     --------------------------------------------------------------------
>     This email is from an external source. Please do not open attachments
> or click links from an unknown or suspicious origin. Phishing attempts can
> be reported by sending them to phishing at sky.uk as attachments. Thank you
>     --------------------------------------------------------------------
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky plc and Sky International AG and are used under licence.
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075) and Sky Subscribers Services Limited
> (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc
> (Registration No. 2247735). All of the companies mentioned in this
> paragraph are incorporated in England and Wales and share the same
> registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list