Provide the actual authentication realm to Radius, especially without losing Calling-Station-Id #47
Comments
|
I think that change is fine. Can you supply a patch? |
|
Initial patcher for AddRadiusCallingStationID here. I'm sorry about the confusion, you are fully justified in referring to this as a "hack"; to explain the history behind it, the need actually came about because of a proprietary implementation of RADIUS that relied on this field to implement a concept of security privilege... Hence my implementation which dealt with the problem by overriding the default value when explicitly specified, and otherwise maintaining the legacy behavior. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overriding Calling-Station-Id (usually the external client IP) in order to convey some more information about the authentication in progress seems like a hack.
It makes more sense to use another attribute to reference the "service" the user is authenticating to, which in this case would be the HTTP basic authentication realm.
It seems sound to use Called-Station-Id. Analogous to the case of e.g. a wireless access point which would present the AP's MAC address the user is connected to in this attribute, in the present use case it could provide the realm the request was directed to.
I have created a patch. Feel free to discuss before I submit a PR.
By default, the realm name (AuthName) configured for mod_auth_basic is used. It can be overriden by specifying "AddRadiusCalledStationID".
This is what the access-request looked like when "AddRadiusCallingStationID" was used previously:
I have renamed the parameter to "AddRadiusCalledStationID", and this is the resulting request:
We could keep "AddRadiusCallingStationID" for backwards compatibility, as you wish.
The text was updated successfully, but these errors were encountered: