Alan DeKok wrote:
George Beitis wrote:
thank you for your reply. I am writing up a part of my dissertation and
I 'm referring to freeradius and the RADIUS protocol trying to explain
how it works.
By accident, mostly. Like many practical systems, it was built to do
something first, and to have theoretical rigor second.
From my research most people who use RADIUS for
authentication purposes. Noone gives a clear image of whether or not
they use it for authorization once they established authentication, so
in other words authentication and authorization become one the same.
If the user hasn't been authenticated, he's likely not authorized to
do anything. So yes, an "authentication succeeded" message most often
includes statements of "you are authorized to do X, Y, and Z".
However authentication is just the validation of a identity. The user
may have multiple identities , any of which could be used to
authenticate them.
For example a user connecting physically to a network has already
established one identity; that of an on-site user.
We haven't used any fancy directory lookups to establish this; we just
know that the packet has come from one of our NAS's, and we trust the
NAS not to lie, so thats enough.
Now normally the fact that the users on site, isn't enough to authorise
them for any services, which is where the second level of authentication
comes in.
If the computer is being Authenticated (and mac based authentication is
being used) , then the mac will be looked up in a directory of some sort
(whether it be a flat file, a LDAP directory or an SQL db), and thats
generally it.
The NAS, discovers the physical address of the device connected to it;
It trusts the device to use the correct physical address (a pretty poor
thing to trust), and the RADIUS server trusts the NAS.
If a user is being authenticated, many different schemes can be used.
The most cryptographically secure method is EAP-TLS which relies on an
exchange of certificates (if you want to know more, read up on public
key encryption). Each party will validate the certificate against the
rootCA which issued it, and that'll be enough to A) Certify that the
server, is what it claims to be , and B) The Supplicant is who it claims
to be.
Now I mentioned earlier that just being on site is sometimes enough for
authorisation to take place. Here we authorise anyone who fails later
stages of authentication to use our support service.
So even though they fail to authenticate either as a known user or a
known computer, they still get access to some resources, as they've been
authenticated as being an on campus user.
So really the 'Authenticate' section in FreeRADIUS is one of those
notional things, put there to help people understand whats going on.
Completely off topic, whats the plaural of NAS ?
I assume it's NAS's.
Thats apostrophe lowercase s
hmm reccon it would be a good idea to start a disambiguation page on the wiki ?
Do
you know of any products that can be used with freeradius to provide
such authorization facilities? Using perhaps policies?
FreeRADIUS *does* implement policies which provide authorization
facilities.
Perhaps you meant to ask another question?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
