Is Radius Authorization bound to Radius Authentication?

[Alan DeKok]

On Sep 8, 2023, at 7:52 AM, Pietro N. via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I managed to autenticate users through MschapV2/ntlm_auth vs Active Directory (reference#1 https://networkradius.com/articles/2021/02/04/active-directory-with-FreeRADIUS.html, reference#2 https://networkradius.com/articles/2021/09/29/configure-authentication-with-active-directory.html). Freeradius version: 3.0.21.

  That's good.  Thought I would suggest upgrading.  3.0.26 is out, and is available on http://packages.networkradius.com

> Then I read "Authentication systems and protocol compatibility https://networkradius.com/articles/2021/10/08/authentication-system-and-protocol-compatibility.html" and "Authenticating Users with LDAP https://freeradius.org/documentation/freeradius-server/3.2.4/concepts/modules/ldap/authentication.html", so now I wonder whether I could also use LDAP(S) for the Authorization phase-only.

  Sure.

> The doubt comes from the presence of the "identity" in mods-available/ldap.
> Is that Identity used for the binding to AD? I guess so.

  Yes.  Read the debug output to see.

> Thus, username/password of the user trying to authenticate are not involved in the LDAP binding. Am I wrong?

  When you do MS-CHAP, there is no password.  So you can't do LDAP "bind as user".  You have to do searches as an anonymous read-only account.  Those credentials are configured in the mods-available/ldap file.

> Is it worth to spend additional time to study how to setup LDAP Authorization? The primary goal is to read group membership but in future other needs may arise.

  I have no idea.  What do you want to do?

  There isn't a lot of point in reading documentation just in case you might need to do something.  Find out what you want to do, and then read the documentation for that.

  In this case, the LDAP group checks are extensively documented in mods-available/ldap

  Alan DeKok.