On 8/7/09 10:19, [email protected] wrote:
hi,
heres one for a wednesday morning.
we have a system that we've been done plain authorizations
via FreeRADIUS - the device sends the following RADIUS request
username: userid
password: userid
(ie the system sends the username and makes the password the same)
okay. fair enough....a bit of unlang and a check that if the username = password
then set the Auth-Type to something false et voila. all okay.
it has now been decided to also do authentication via RADIUS
and this is where things get messy.
by removing the Auth-Type kludge, we can successfully authenticate
a real user with their real password.... however, the authorization
now fails because the device still sends username/password with
the password the same as the username - this now hits the
FreeRADIUS server which cannot find a valid Auth-Type for the user
and thus fails authentication and therefore sends back a 'blurgh'
to the box requesting authorization.
authorize {
if((User-Name == User-Password) && %{ldap:etc...}){
update control {
Auth-Type := 'NULL'
}
}
else {
// Authentication modules
}
}
Auth-Type NULL {
ok
}
this is to be expected because there is nothing in the request to
distoniguish between an authorization request and an authentication
request.
so the question is, how do we handle this so that the system can
send a username=password for authorization AND a proper authentication
can happen WITHOUT (hers a gotcha) the user doing something cute
like putting their username in as their password! ;-)
Slightly confused as to what you want... Try again without the caffeine ?
Arran
--
Arran Cudbard-Bell <[email protected]>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
