The FreeRADIUS authorization process retrieves the
attribute information needed to perform the authentication
process. IE, retrieving a password, setting the auth-type
to use CHAP, PAP, EAP, etc. You can't authenticate the user
until you know how you are supposed to authenticate them.
=?utf-8?B?6ICA6YC4?= [EMAIL PROTECTED] wrote:
so the authorization in the FreeRadius means gather the information for
authentication, am I right?
Yes, but it does more than that, too. It also gathers the
authorization information (IP address, etc.) that the server *may*
return to the NAS
I'm new to the Radius protocol, just having finished
implementing a module for access to a private
authentication service.
During development one thing struck me as odd:
authorization checks are done before the entity being
authorized is authenticated.
It's been my experience that before an
Dear Vic Abell,
Imagine you're coming to your president's room
Secretary: do you have an appointment?
Mr. Abell: Yes, my name is Vic Abel
Secretary gets your name and looks into timetable and finds required
record (that's authorization is). Than she checks time and name are
ZARAZA writes:
Dear Vic Abell,
Imagine you're coming to your president's room
Secretary: do you have an appointment?
Mr. Abell: Yes, my name is Vic Abel
In this new an suspicious age, that wouldn't be the exchange.
It would be:
Secretary: Do you have an appointment?
Mr. Abell:
Dear Vic Abell,
--Tuesday, July 16, 2002, 5:53:45 PM, you wrote to [EMAIL PROTECTED]:
Secretary: do you have an appointment?
Mr. Abell: Yes, my name is Vic Abel
VA In this new an suspicious age, that wouldn't be the exchange.
VA It would be:
VA Secretary: Do you have an appointment?
VA
Vic Abell [EMAIL PROTECTED] wrote:
During development one thing struck me as odd:
authorization checks are done before the entity being
authorized is authenticated.
Yes, by design and intent.
It's been my experience that before an entity is
authorized it should be asked to prove itself
Vic Abell [EMAIL PROTECTED] wrote:
I don't think someone should be authorized before the claimed identity
has been authenticated. Otherwise authorization might be given to
someone falsely claiming an identity.
Nonsense. The authorization isn't returned to the caller until
after they've
Alan DeKok writes:
Vic Abell [EMAIL PROTECTED] wrote:
I don't think someone should be authorized before the claimed identity
has been authenticated. Otherwise authorization might be given to
someone falsely claiming an identity.
Nonsense. The authorization isn't returned to the
Vic Abell [EMAIL PROTECTED] wrote:
Nonsense. The authorization isn't returned to the caller until
after they've been authenticated.
No, it's not nonsense. The secretary's telling me that Vic
Abell has an appointment gives away potentially useful
information.
Please read again,
Alan DeKok writes:
Uh, right. Why were you arguing about something you didn't
understand? It would have been politer for you to ask HOW it works,
rather than claiming it's wrong and insecure, and then back-pedalling
when your confusion was corrected.
Well I don't think I ever said
11 matches
Mail list logo
