Re: MAC authorisation (but not authentication) via LDAP

This is a discussion on Re: MAC authorisation (but not authentication) via LDAP within the FreeRADIUS Users forums, part of the Networking and Network Related category; Markus Krause wrote: > > but what if the Auth-Type is not set, for example in a perl module &...


Go Back   Usenet Forums > Networking and Network Related > FreeRADIUS Users

Reload this Page Re: MAC authorisation (but not authentication) via LDAP

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-25-2007
Phil Mayers
 
Posts: n/a
Default Re: MAC authorisation (but not authentication) via LDAP
Markus Krause wrote:
>
> but what if the Auth-Type is not set, for example in a perl module
> (btw. how can i set the auth-type? that would solve my problem here!).
> example:
> we (will) have a wlan which can be used by all our users known in ldap
> and we have additional accounts saved in sql, which can be given to
> guests by our departments and research groups, these accounts are then
> valid for a fixed (preset) number of days since their first usage. to
> check this i wrote a small perl script which works. so for
> authorization i use in radiusd.conf:

I'm obviously not understanding what you're trying to do.

Auth-Type is meant solely to be a key that indicates to the server which
module to call in the "authenticate" section to execute the
authentication *algorithm*. The reason setting Auth-Type is so bad is
that it breaks the ability for the server to correctly detect the
algorithm and people don't understand why.



Disabling an account is not part of the authentication algorithm, and
should happen in the authorize section (ideally by setting the
Expiration attribute built into FreeRadius, but there are cases where
that's not applicable)

I assume you're using the "mpi-sta" module to do something like:

if not USERNAME in firstseen:
firstseen[USERNAME] = now
else:
if now - firstseen[USERNAME] > VALIDTIME:
return reject

In which case they'll just get rejected during authorize and the mpi-sta
module doesn't need to (and SHOULD NOT) appear in the authenticate section.

>
> ----- part of radiusd.conf
> authorization {
> Autz-Type WLAN {
> group {
> mpi-sta {
> ok = return
> }
> redundant {
> LdapUser1
> LdapUser2
> }
> }
> }
> }
>
> authentication {
> Auth-Type WLAN {
> mpi-sta {
> notfound = 1
> }
> redundant {
> LdapUser1
> LdapUser2
> }
> }
> }
> ----
>
> the Auth-Type is set in users according to the huntgroup of the wlan-switch as
> the perl skript does not set auth-type (because i did not find any
> documentation on how to set it) so i had to force auth-type to WLAN,
> now it works.

It seems a very complicated way of doing something very simple - I
assume I am misunderstanding you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:45 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0