> we have a system that we've been done plain authorizations > via FreeRADIUS - the device sends the following RADIUS request > > username: userid > password: userid > > (ie the system sends the username and makes the password the same) > > okay. fair enough....a bit of unlang and a check that if the username = > password > then set the Auth-Type to something false et voila. all okay. > > > it has now been decided to also do authentication via RADIUS > and this is where things get messy. > > > by removing the Auth-Type kludge, we can successfully authenticate > a real user with their real password.... however, the authorization > now fails because the device still sends username/password with > the password the same as the username - this now hits the > FreeRADIUS server which cannot find a valid Auth-Type for the user > and thus fails authentication and therefore sends back a 'blurgh' > to the box requesting authorization. > > this is to be expected because there is nothing in the request to > distoniguish between an authorization request and an authentication > request. > > so the question is, how do we handle this so that the system can > send a username=password for authorization AND a proper authentication > can happen WITHOUT (hers a gotcha) the user doing something cute > like putting their username in as their password! ;-)
Send Service-Type = Authorize-Only in authorization request. Then you can distinguish between the requsts. Or do authorization in the same time as authentication. Without opening a major security hole. You can set Auth-Type to Accept if User-Name = User-Password in the request but that would enable anyone to log in knowing just username. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
