mod_auth_radius icon indicating copy to clipboard operation
mod_auth_radius copied to clipboard

Published 20 hours ago verified publisher icon FreeRADIUS

Provide the actual authentication realm to Radius, especially without losing Calling-Station-Id

Open TheNetworkIsDown opened this issue 4 years ago • 2 comments

Overriding Calling-Station-Id (usually the external client IP) in order to convey some more information about the authentication in progress seems like a hack.

It makes more sense to use another attribute to reference the "service" the user is authenticating to, which in this case would be the HTTP basic authentication realm.

It seems sound to use Called-Station-Id. Analogous to the case of e.g. a wireless access point which would present the AP's MAC address the user is connected to in this attribute, in the present use case it could provide the realm the request was directed to.

I have created a patch. Feel free to discuss before I submit a PR.

By default, the realm name (AuthName) configured for mod_auth_basic is used. It can be overriden by specifying "AddRadiusCalledStationID".

This is what the access-request looked like when "AddRadiusCallingStationID" was used previously:

User-Name = "x"
User-Password = "password"
Service-Type = Authenticate-Only
NAS-Identifier = "test.example.com"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "MyServiceName"

I have renamed the parameter to "AddRadiusCalledStationID", and this is the resulting request:

User-Name = "x"
User-Password = "password"
Service-Type = Authenticate-Only
NAS-Identifier = "test.example.com"
NAS-IP-Address = 127.0.0.1
Called-Station-Id = "MyRealm"
Calling-Station-Id = "1.2.3.4"

We could keep "AddRadiusCallingStationID" for backwards compatibility, as you wish.

TheNetworkIsDown avatar Sep 26 '20 16:09 TheNetworkIsDown

I think that change is fine. Can you supply a patch?

alandekok avatar Sep 29 '20 13:09 alandekok

Initial patcher for AddRadiusCallingStationID here.

I'm sorry about the confusion, you are fully justified in referring to this as a "hack"; to explain the history behind it, the need actually came about because of a proprietary implementation of RADIUS that relied on this field to implement a concept of security privilege...

Hence my implementation which dealt with the problem by overriding the default value when explicitly specified, and otherwise maintaining the legacy behavior.

darksoul42 avatar Dec 10 '21 08:12 darksoul42