(RADIATOR) Re: Dynamic Authentication / Proxying

Hugh Irvine hugh at open.com.au
Thu Jan 3 17:29:31 CST 2002 

Hello Alex -

On Fri, 4 Jan 2002 08:40, Alex Fritz wrote:
> Hey guys,
>   This is going to be a strange one.  The company we are setting up a
> radius server for has to have the ability to do a sort of dynamic
> authentication. Let's say they have a user from user at domain.com and they
> want to do AuthBy SQL authentication, but if the person doesn't exist in
> the database then they should be passed through to another server.  They
> shouldn't be passed through if they fail authentication.
>

You should be able to do this with an AuthByPolicy of ContinueWhileAccept, 
something like this:

# define AuthBy SQL

<AuthBy SQL>
	Identifier CheckDatabase
	.....
	NoDefaultIfFound
	.....
</AuthBy>

# define AuthBy RADIUS

<AuthBy RADIUS>
	Identifier ForwardToProxy
	......
</AuthBy>

# define Handlers

<Handler User-Name = /^prefix\-/, Realm = domain.com>
	AuthBy ForwardToProxy
	.....
</Handler>

<Handler Realm = domain.com>
	AuthByPolicy ContinueWhileAccept
	AuthBy CheckDatabase
	AuthBy ForwardToProxy
	.....
</Handler>

You will also need an entry in the SQL database for a DEFAULT user:

DEFAULT Auth-Type = Accept


> They also need the capability to do want they call "Prefix Realms."  If a
> user is
> prefix-user at domain.com then he should be passed through and user at domain.com
> shouldn't be.
>

See the example above.

> I have a feeling that with these there will need to be either some sort of
> custom AuthBy module or a Hook.  If that is correct, then let me know, but
> what would be really helpful would be if somebody already has a script that
> will do this or even something similiar.  Thanks for you time.  It's really
> appreciated.
>

You shouldn't need any custom code with the above configuration.

regards

Hugh


-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list