TZieleniewski wrote:
the authorize section is the section which defines procedures
responsible for granting a user an access to specific type of service.
For instance if we use sql or files module in authorize section we can
intuitivly imagine that they do some checks about user data.
For instance checks if data are present in the users file or in the data
base.
yes
And then in the authentication section they are for innstance
authenticate with the pap module wich makes the verification between the
data
received from access packet and those taken from the users file or data
base.
yes
but there is another situation a little bit confusing when we for
instance call the chap, mschap or ldap modules in the authorize section
and then
in the authenticate section. Does it work this way that somehow those
modules know that they are invoked in different phases(authorize,
authenticate)
Yes. Taking e.g. "mschap" as an example - during the "authorize" phase,
the module looks at the request and does this:
* IF the ms-chap-challenge and ms-chap-response attributes exist
* THEN set Auth-Type = MS-CHAP
During the "authenticate" phase it says:
* Get ms-chap-challenge
* Get User-Password from "config" items
* Compute correct response
* If corrct == ms-chap-response: ...
and perform different operations according to the needs?? Or for
instance the digest module what those the authorize section really do??
Does it take any data from the users file ?? Or it just check the data
format and stuff??
for instance
authorise {
preprocess
chap
mschap
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP{
mschap
}
}
I can really get the filling of those authtype declarations in the authenticate
section
Im sure that few words of explanation will make me to understand everything.
Basically, the *algorithm* modules just check to see if they're
applicable to a request during authorize. If they are applicable they
arrange to run themselves again during authenticate, *after* data for
authentication has been added to the request.
Hope that helps
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
