help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Thanks for your advices!

From: Gerald
Subject: Re: [Help-gnu-radius] Thanks for your advices!
Date: Wed, 17 Nov 2004 13:58:08 -0500 (EST) 
On Wed, 17 Nov 2004, Sergey Poznyakoff wrote:

>    the RADIUS server consults a database of users to find the
>    user whose name matches the request.  The user entry in the database
>    contains a list of requirements which must be met to allow access
>    for the user.
>    [...]
>    If any condition is not met, the RADIUS server sends an "Access-
>    Reject" response indicating that this user request is invalid.

If the RADIUS server can't contact the "database" mentioned first in
the gnu-radius users file, there is nothing in the quoted section of
the RFC that says it can't continue to the next entry and attempt
to authenticate the same user until it gets an actual response, and
then fail when all attempts to contact a "database of users" has been
exhausted.

My reading of just the section you posted* would still allow for RADIUS
to distinguish between a select that failed to get a username and a
failed attempt to contact the database.

* You have read and comprehended much more of the RFCs than I can
pretend to know.

Disclaimer: I know I'm guilty here of searching through the words to try
to find what I want it to say. I'm also guilty in this instance of the
time-honored tradition of (some should read this as: the bad habit of)
trying to give more responsibility to radius...but if you'll look beyond
both of those...

> In accordance with that GNU Radius will not try any other authentication
> profiles once the first matching one fails.

I think you are using the word "matching" here to refer to something
different than I am. That's what's changing my expectation of behavior
even though I don't use this feature. Matching a username in the
database is not achieved if the database can't be contacted. Matching a
NAS/RAS "DEFAULT" entry does follow that way of thinking. If RADIUS's
purpose is to authenticate users by some means of credentials, I would
think the user is what we are trying to match.

> It is however possible to override this implementing an authentication
> method upon some kind of Radius extension.

My advice to Konst is to code wisely with this advice. This will be
fired off for every authentication so don't get too code happy or use a
bloated language.

> Otherwise, it is possible to implement this using Guile extension.

That's just mean. :-) Impressive example, but mean.

Gerald
reply via email to
[Prev in Thread] Current Thread [Next in Thread]